07-29-2002 11:53 AM - edited 02-21-2020 11:57 AM
I'm trying to configure TACACS on a router which already has configured.
VPN is working and internal clients can browse the internet.
I've added the TACACS comands, I can not get the TACACS server to authenticate properly. This is what i'm receiving from 'debug aaa authentication' :
18w1d: AAA: parse name=FastEthernet0/1 idb type=-1 tty=-1
18w1d: AAA: name=FastEthernet0/1 flags=0x15 type=6 shelf=0 slot=0 adapter=0 port=1 channel=0
18w1d: AAA: parse name=<no string> idb type=-1 tty=-1
18w1d: AAA/MEMORY: create_user (0x81AE9B68) user='' ruser='' port='FastEthernet0/1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=0
18w1d: AAA/AUTHEN/START (365031532): port='FastEthernet0/1' list='default' action=LOGIN service=LOGIN
18w1d: AAA/AUTHEN/START (365031532): found list default
18w1d: AAA/AUTHEN/START (365031532): Method=LOCAL
18w1d: AAA/AUTHEN (365031532): status = GETUSER
18w1d: AAA/AUTHEN/CONT (365031532): continue_login (user='(undef)')
18w1d: AAA/AUTHEN (365031532): status = GETUSER
18w1d: AAA/AUTHEN/CONT (365031532): Method=LOCAL
18w1d: AAA/AUTHEN (365031532): User not found, emulating local-override
18w1d: AAA/AUTHEN (365031532): status = ERROR
18w1d: AAA/AUTHEN/START (1108177767): port='FastEthernet0/1' list='' action=LOGIN service=LOGIN
18w1d: AAA/AUTHEN/START (1108177767): Restart
18w1d: AAA/AUTHEN/START (1108177767): Method=RTP (tacacs+)
18w1d: TAC+: send AUTHEN/START packet ver=192 id=1108177767
18w1d: AAA/AUTHEN (1108177767): status = ERROR
18w1d: AAA/AUTHEN/START (1108177767): Method=NONE
18w1d: AAA/AUTHEN (1108177767): status = PASS
18w1d: AAA/MEMORY: free_user (0x81AE9B68) user='john' ruser='' port='FastEthernet0/1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=0
07-30-2002 04:07 AM
From the debugs above it looks like when you try to access the router, the default method used is LOCAL and since the user is not found in local router database, it then uses the next method which is TACACS+.
Furthermore,, when using TACACS+ method the status return code is ERROR, which indicates that the TACACS+ server was not reachable. Check if you can ping the TACACS+ server from the router, if that is fine, increase the TACACS+ timeout using following command;
tacacs-server timeout 10 (default is 5 seconds)
maybe there is some latency issue b/w the router and your server.
if that doesn't help, check the logs on the TACACS+ server and see if the requests are ever making to it, and maybe you will get some indication of what the problem is. Are you sourcing tacacs-server on the router with some interface, if yes, make sure the NAS entry on the server is same as the source interface on the router.
HTH
R/Yusuf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide