Secure ACS 4.1 and different routers

Unanswered Question
Apr 8th, 2008
User Badges:

Are the commands different from router to router?

This is what I currently have:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host

tacacs-server host

tacacs-server timeout 60

tacacs-server directed-request

tacacs-server key xxxxxxxxxx

It works on my 2621's like a charm but my 2811's it won't allow my to login in as my domain account just the backup local account I have.

I am a rookie to this so please be gentle. Thanks in advance for any help you can give me...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jan Rockstedt Tue, 04/08/2008 - 23:19
User Badges:


Yes they are diffrent.


tacacs-server host key cisco_key

tacacs-server directed-request

radius-server source-ports 1645-1646

Regadrs Jan

JonGauntt Wed, 04/09/2008 - 12:34
User Badges:

Just a clarification...

We are using 2811 and 2801 at remote locations and have been trying to use the tacacs-server options as well. Are you saying that we need to configure it as a radius-server even if we are only using the tacacs options?

I just want to make sure prior to delving into radius as we have not used that at all since we are only communicating between routers for multi user authentication.


Jon Gauntt

Jagdeep Gambhir Wed, 04/09/2008 - 13:09
User Badges:
  • Red, 2250 points or more

In layer 3 devices we also need to define tacacs source interface so that it uses only that interface for sending tacacs request to acs.

AAA-Switch(config)#ip tacacs source-interface (vlan or loopback or gigabit interface)

In above command we need to define the interface that is listed in acs--->network configuration--->Router.

Let me know if you have any question.




This Discussion