Richard Burts Wed, 07/09/2008 - 07:05

Hani


You have not provided much for us to work with. Based on your description I would think that the problem might be one of these things:

- perhaps the switch configuration for the tacacs server is not correct?

- perhaps the switch configuration of the shared key with the tacacs server is not correct?

- perhaps the IP address chosen by the switch as the source for the tacacs request is not the same address that is configured on the tacacs server for this client.

- perhaps there is some error in the switch configuration for tacacs configuration.


I would suggest that a good place to start investigating this issue is in the logs of the tacacs server. Is the server seeing the authentication request? If so then there may be some error code that indicates what the problem is. If the server is not seeing the request then it point to a different kind of problem.


It would also be helpful to post the switch config so we can check for issues in the switch config.


HTH


Rick

davidcruise Wed, 07/09/2008 - 07:43

- i am sure of the tacacs configuration of the switch .

-the switch & ACS are reachable to each other

& no communication problem.

-for test i installed the acs on VMWare which resides on the ACS server itself, i give the VMWare ip address 192.168.170.12 , which is in the same range of ACS server ip address 192.168.170.11

& changed the Tacacs server ip address on the edge switch from 192.168.170.11 to 192.168.170.12 , & tacacs authentication worked fine .

Jagdeep Gambhir Wed, 07/09/2008 - 07:53

David,

If incase this is acs appliance, then disable remote logging and see if that make tacacs authentication work.



Regards,

~JG

cisco24x7 Fri, 07/11/2008 - 03:23

According to what you said, it is reasonable

to say that the ACS server is having issues.

I would the following:


1- from the switch telnet to the ACS server

via port 49 and see port 49 is listening:


C3750#telnet 10.250.97.28 49

Trying ... Open


[Connection closed by foreign host]

C3750#


2- to confirm that tcp port 49 is listening

on the ACS server, do "netstat -an | findstr

49"


3- I am guessing that the CSTacacs service

is not running but the CSRadius is. Check

the Windows service and restart CSTacacs

service and see if you can restart it.



Jagdeep Gambhir Fri, 07/11/2008 - 04:48

Other then that also check how aaa server is setup i.e Go to acs--->network configuration---->AAA server----> Make sure it is set up as "Cisco Secure ACS" and not Radius.



Regards,

~JG

chaitu_kranthi Fri, 07/11/2008 - 11:20

Hi,


If you are having Multiple Vlan in the Switch then also this problem will come.


issue a command

"ip tacacs source-interface Vlan 1"

may this sloves your problem.


Actions

This Discussion