cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
3
Helpful
1
Replies

Issue with tacacs authentication

swordcrowned
Level 1
Level 1

Hello,

I am having an issue and looking for some ideas on what to check next.  All ip's and any identifying numbers have been change to protect the ummmmm.......you get the point.

I have a 6500 series switch that for some reason will not authenticate to the tacacs server.  When you try, you get a password authentication failure.  However, it will let you use the configured username and secret to log in thru ssh.  And the enable secret to get into privileged mode.  Tacacs key is correct, btw.

sorry, i cant post the actual config, but just assume all the aaa commands are correct, the tacacs key is correct, and the ip ssh commands are correct.

we will call the server vlan 300 and the admin vlan 400

the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.

I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work.  I changed the tacacs source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine.  ip routing is turned on.  There are entries for both the server vlan subnet and the admin vlan subnet in the routing table.  There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan. 

Thoughts and idea's will be appreciated.  I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isnt working.  I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN.  I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.

Thanks.

Bryan

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

I've often found it useful to run Wireshark or tcpdump on the TACACS server to verify that the rquests are coming in from the expected source IP. If yes, then it's more likely to be a TACACS server setup issue. If no, it's more likely a device configuration or routing issue.

Since you've said you can't ping using the admin source interface, you most likely have a routing issue.

Do an extended traceroute from the problem 6500 ("traceroute" without any parameters and then specify source ip of admin interface) to see where the packets are dying.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: