Raman

If I understand the post from Mohammed correctly there are no failed attempts reported. If the issue were that they were not configured in ACS then there would be entries in the failed attempt log - indicating attempts from an unknown host.

Asking to see some configs from devices that do not work is a very reasonable thing. It would allow us to see if there were issues that might prevent authentication. And it would allow us to see if the source interface is specified. Mohammed says that he can telnet to the server on port 49 which demonstrates that there is IP connectivity using the default choice of interface. I would like to see if that is the same interface that AAA is using.

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.

HTH

Rick

actually , there is no failed or passed attempt at ACS server

the router is choosing to authenticate locally , like if it is can't see the ACS.

but why it can't see the ACS?

As I suggested in my previous post:

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.

Please post configs or post debug output.

HTH

Rick