Tacacs authentication not working

Unanswered Question
Jul 9th, 2008
User Badges:

i have AAA server , when i configure tacacs authentication on edge switch , no response from AAA to the edge switch , but for radius configuration it is working

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 07/09/2008 - 07:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


You have not provided much for us to work with. Based on your description I would think that the problem might be one of these things:

- perhaps the switch configuration for the tacacs server is not correct?

- perhaps the switch configuration of the shared key with the tacacs server is not correct?

- perhaps the IP address chosen by the switch as the source for the tacacs request is not the same address that is configured on the tacacs server for this client.

- perhaps there is some error in the switch configuration for tacacs configuration.

I would suggest that a good place to start investigating this issue is in the logs of the tacacs server. Is the server seeing the authentication request? If so then there may be some error code that indicates what the problem is. If the server is not seeing the request then it point to a different kind of problem.

It would also be helpful to post the switch config so we can check for issues in the switch config.



davidcruise Wed, 07/09/2008 - 07:43
User Badges:

- i am sure of the tacacs configuration of the switch .

-the switch & ACS are reachable to each other

& no communication problem.

-for test i installed the acs on VMWare which resides on the ACS server itself, i give the VMWare ip address , which is in the same range of ACS server ip address

& changed the Tacacs server ip address on the edge switch from to , & tacacs authentication worked fine .

Jagdeep Gambhir Wed, 07/09/2008 - 07:53
User Badges:
  • Red, 2250 points or more


If incase this is acs appliance, then disable remote logging and see if that make tacacs authentication work.



cisco24x7 Fri, 07/11/2008 - 03:23
User Badges:
  • Silver, 250 points or more

According to what you said, it is reasonable

to say that the ACS server is having issues.

I would the following:

1- from the switch telnet to the ACS server

via port 49 and see port 49 is listening:

C3750#telnet 49

Trying ... Open

[Connection closed by foreign host]


2- to confirm that tcp port 49 is listening

on the ACS server, do "netstat -an | findstr


3- I am guessing that the CSTacacs service

is not running but the CSRadius is. Check

the Windows service and restart CSTacacs

service and see if you can restart it.

Jagdeep Gambhir Fri, 07/11/2008 - 04:48
User Badges:
  • Red, 2250 points or more

Other then that also check how aaa server is setup i.e Go to acs--->network configuration---->AAA server----> Make sure it is set up as "Cisco Secure ACS" and not Radius.



chaitu_kranthi Fri, 07/11/2008 - 11:20
User Badges:


If you are having Multiple Vlan in the Switch then also this problem will come.

issue a command

"ip tacacs source-interface Vlan 1"

may this sloves your problem.


This Discussion