Hello,
I am having an issue and looking for some ideas on what to check next. All ip's and any identifying numbers have been change to protect the ummmmm.......you get the point.
I have a 6500 series switch that for some reason will not authenticate to the tacacs server. When you try, you get a password authentication failure. However, it will let you use the configured username and secret to log in thru ssh. And the enable secret to get into privileged mode. Tacacs key is correct, btw.
sorry, i cant post the actual config, but just assume all the aaa commands are correct, the tacacs key is correct, and the ip ssh commands are correct.
we will call the server vlan 300 and the admin vlan 400
the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work. I changed the tacacs source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine. ip routing is turned on. There are entries for both the server vlan subnet and the admin vlan subnet in the routing table. There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan.
Thoughts and idea's will be appreciated. I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isnt working. I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN. I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.
Thanks.
Bryan