AAA / Tacacs Problem :(

Unanswered Question
Sep 16th, 2007

Hi !

I am using AAA with tacacs for authentication of dial-up users. Its working on 1 of client router but giving problem on other router . Following is relavant config & logs are enclosed.

Can anybody Pls let me know what could be possibilites for failure of authentication .

Many thnks in advance !!!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 09/17/2007 - 09:53


I have looked through the file that you posted. While it does help to see part of the problem it does not have enough information for us to know quite what the issue is.

My first guess would be to check the IP addresses configured for the TACACS servers and verify that they are the correct addresses. I would then suggest checking IP connectivity between the router with a problem and the servers. You do specify in the config to source TACACS packets from loopback 0, so in checking connectivity be sure to source from loopback 0.

You might also look on the server and look in the failed attempts report to see if the server is seeing the authentication request and if so why it is not authenticated. In my experience a common reason for this problem is either that the address used on the TACACS server to identify the client is not the address that the client is using to source packets or that the key is not correctly configured.

You ask if password encryption could cause a problem like this. I have configured many routers for TACACS authentication and used password encryption on them and have never seen password encryption cause a problem. It might make it slightly harder to troubleshoot a problem when the key is not correct but is encrypted because you can not see the key value. But encryption does not cause the problem it only makes it slightly more difficult to recognize.

If these suggestions do not point you in the right direction then I would suggest that you run debug tacacs authentication and post the output.



vijay sanwal Thu, 09/20/2007 - 06:13

Hi Rick ,

Thnks for your feedback. Regarding Tacacs & Router reachability , I had already checked using loopback0 as a source.

Key : I had double checked key using getpass(used to Decrypt passwords). I had also reconfigured it. Hence its also not problem.

Actually problem is that Tacacs server is handel by customer & they don't seems expert. They are only tellming that Tacacs is receving request but its not recoznizing packets format coming from router.

As I need to take downtime for testing this setup , It will take sometime for me to get next window.

Thnks for your suggestions ...

Richard Burts Thu, 09/20/2007 - 08:31


I do not understand what they mean about Tacacs is receving request but its not recoznizing packets format coming from router. Perhaps they can give you the exact error message from the TACACS server logs?

It sounds to me to be more of a problem on the server than it is on the router. But when you get your next testing window, running debug tacacs authentication might be helpful to verify what is happening on the router side.




This Discussion