Thanks for the quick reply. Unfortunately I used the ip tacacs source-interface command already with Loopback and even tunnel as the source but still does not work. If I telnet to the the ACS server IP address from the remote router on port 49 I get all the way through no problem. As mentioned the primary router was no problem to get TACACS working but then there is no VPN between that and the ACS...

Good, connectivity is established. What are you running for a AAA server? Can you see anything in the logs? Is the router in the device list?

What are you running for a AAA server? Cisco ACS

Can you see anything in the logs? No

Is the router in the device list? The router has been added to the ACS network configuration.

The routers are configured with Fallback local username and password which is currently used when logging on to the spoke routers. The hub router which is on the same infrastructure as the ACS server TACACS works fine. When I try to extend the TACACS to the spoke device using exactly the same configuration for the it does not work.

The VPN is part of a secure private network which is an alternative to the leased lines which form the bulk of client connections. The outside fastethernet interface on the spoke router is configured to allow only udp; isakmp, 4500, ip; esp and ssh between the peer addresses. The fastethernet is only for establsihing the VPN tunnel and SSH for backup remote connectivity for management purposes. So to manage spoke router we use the tunnel interface ip address which is the same interface that TACACS will be coming in on. Is this even possible??

Appreciate your assistance.

Ric

So have you tried sourcing TACACS from the 'inside' interface? It will not work from the tunnel interface.

So I have gone away and done the following....

The Tunnel interfaces use 172.32.101.0/30 for the point-to-point. I have created a loopback interface with the address 172.32.101.5/30 and added routes from the TACACS+ / management server and can get to the remote router using the loopback. From the remote router I can telnet to the TACACS server on port 49.... still TACACS is not authenticating. I am using the "ip tacacs source-interface Loopback0" but still no joy.

Any other suggestions?

Are you sourcing your telnet from the loopback? If so then it sounds like the problem is on ACS.

Hi Colin, thanks for the quick reply.

The ACS server is in production environment and there are currently many examples of devices sourcing from the loopback interface. The router at the same end of the VPN picked the TACACS+ no problem but the remote end is not. I have just setup another VPN in a similar fashion and again TACACS is not being picked up by the remote device. It's like the TACACS does not want to pass over the VPN and I've not found many examples of people doing the same thing as this.

Hi,

Could you please run the debug on both the routers when trying to authenticate across the vpn tunnel.

deb aaa authen

deb tacacs 255.

Regards,

Anisha

Thanks everyone for your assistance. I found the issue to be with the ACS server and the shared keys. When I added the device to the ACS server I specified at shared key at the device level. It wasn't until I tried using the ACS group sharedd key, where the device is assigned, that I got it working.

Just for info I am using the tunnel interface as the tacacs source-interface which appears to be working fine.

Many Thanks,