Cannot authenticate via TACACS

Answered Question
Feb 27th, 2007

Dear Netpros,

I am giving these commands on 6506 CatOS :

'set tacacs server 10.10.10.10 primary'

'set tacacs directedrequest enable'

'set tacacs key cisco'

'set tacacs timeout 10'

I cannot authenticate by the TACACS server, is there anything i should add/remove from the config. I can ping the TACACS server from this switch. Any inputs.

TIA

I have this problem too.
0 votes
Correct Answer by glen.grant about 9 years 7 months ago

do you have these in your config?

set authentication login tacacs enable telnet primary

set authentication enable tacacs enable telnet primary

Correct Answer by Richard Burts about 9 years 7 months ago

Mohammed

There might be several issues. The first thing that I would suggest is to look at the TACACS server, look in its logs and reports and verify if it sees the authentication request come in. If it sees the request come in, then how does it respond. Probably it is rejecting the request, and if so why? The answer is probably in the server logs and reports.

In my experience the most common issues in situations such as you describe are either the source address in the request from the Catalyst is not the address configured on the server, or the TACACS key configured on the switch is not the same as the key configured on the server.

Check the server and let us know what you find.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Correct Answer
Richard Burts Tue, 02/27/2007 - 07:59

Mohammed

There might be several issues. The first thing that I would suggest is to look at the TACACS server, look in its logs and reports and verify if it sees the authentication request come in. If it sees the request come in, then how does it respond. Probably it is rejecting the request, and if so why? The answer is probably in the server logs and reports.

In my experience the most common issues in situations such as you describe are either the source address in the request from the Catalyst is not the address configured on the server, or the TACACS key configured on the switch is not the same as the key configured on the server.

Check the server and let us know what you find.

HTH

Rick

Correct Answer
glen.grant Tue, 02/27/2007 - 09:01

do you have these in your config?

set authentication login tacacs enable telnet primary

set authentication enable tacacs enable telnet primary

Mohammed Faiz M... Tue, 02/27/2007 - 22:00

Hi Guys,

I have checked the logs and found this error :

"27/02/2007,17:18:50,Unknown NAS,,,,,,,,10.x.x.100"

Anything else i need to do on the ACS server?

Thanks

Mohammed Faiz M... Tue, 02/27/2007 - 22:54

Thanks guys,

I just realized that there was a duplicate entry for that switch on the ACS server under network configuration. As soon as i edited the duplicate entry, the switch started to authenticate from the ACS server.

Regards

Faiz

Actions

This Discussion