I'm in the process of setting up TACACS+ AAA for our routers, which as a matter of policy use ssh instead of telnet for VTY access. It works correctly for telnet but not for ssh, though. The relevant parts of the config include
aaa authentication login default group tacacs+ local
aaa authentication login ssh group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
tacacs-server host nnn.nnn.nnn.nnn
tacacs-server key 7 xxxxxxxxxxxxx
line vty 0 4
privilege level 15
transport input all
If I hit one of those VTY lines using telnet, the negotiation from the router's side starts like this
Mar 26 14:27:42.682: AAA/BIND(000001B5): Bind i/f
Mar 26 14:27:42.682: AAA/AUTHEN/LOGIN (000001B5): Pick method list 'default'
Mar 26 14:27:42.686: TPLUS: Queuing AAA Authentication request 437 for processing
Mar 26 14:27:42.686: TPLUS: processing authentication start request id 437
Mar 26 14:27:42.686: TPLUS: Authentication start packet created for 437()
Mar 26 14:27:42.686: TPLUS: Using server nnn.nnn.nnn.nnn
Note that in the second-to-last line the request id 437 has no user id. With ssh, though, Putty prompts me for my user id "locally", and generates the following
Mar 26 14:28:38.640: AAA/BIND(000001B6): Bind i/f
Mar 26 14:28:38.640: AAA/AUTHEN/LOGIN (000001B6): Pick method list 'default'
Mar 26 14:28:38.640: TPLUS: Queuing AAA Authentication request 438 for processing
Mar 26 14:28:38.640: TPLUS: processing authentication start request id 438
Mar 26 14:28:38.640: TPLUS: Authentication start packet created for 438(userid)
Mar 26 14:28:38.640: TPLUS: Using server nnn.nnn.nnn.nnn
where the request packet *has* the user id. This transaction fails.
How do I get past this?