Secure ACS

Unanswered Question
Aug 6th, 2008
User Badges:

We have deployed Secure ACSv4.1 and made the required configuration change on the switches. All Access layer switches work perfect but the Distribution and Core swtcihes (4506 and 4507) are not being authenticated using the ACS.

the configuration i made on the switches is :


1. Configure AAA Authentication

1. Create Local Administrative Accounts

2. Specify one or more TACACS+ servers.

3. Specify the TACACS+ key.

4. Specify the TACACS+ timeout interval. (Def= 5sec)

5. Configure Authentication option

# aaa new-model

# aaa authentication login default group tacacs+ local

# aaa authentication enable default group tacacs+ line

2. Configure AAA Accounting

# aaa accounting system default start-stop group tacacs+

# aaa accounting exec default start-stop group tacacs+

# aaa accounting commands 0 default start-stop group tacacs+

# aaa accounting commands 15 default start-stop group tacacs+

# aaa accounting network default start-stop group tacacs+


do i need additional configuration on 4506/4507 switches ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 08/06/2008 - 06:54
User Badges:
  • Purple, 4500 points or more

Did you check your ACS logs? On devices with multiple interfaces, its useful to source TACACS from a loopback for consistency and ease of management.

Router(config)# ip tacacs source loopback0

I also assume you have the correct login method under your VTYs.

Hope that helps.

itssnsu07 Wed, 08/06/2008 - 22:39
User Badges:

Thank you very much, yes i tried to look in to the logs but couldn't see any......

i now tried putting

conf t # ip tacacs source-interface Loopback0

but it is the same thing.......

what else shall i check?

Thank you so much!

dhananjoy chowdhury Wed, 08/06/2008 - 22:52
User Badges:
  • Silver, 250 points or more

I believe the TACACS server is not able to communicate with the switch IP.

Are you able to ping the TACACs server from the switch ?

The tacacs source interface should be the interface via which the server is reachable.

And also put this interface IP while configuring the AAA client on the TACACS server.

itssnsu07 Thu, 08/07/2008 - 03:36
User Badges:

Thanks for the quick reply!

yes TACACS server can be reached from the switch. and show tacacs displays

Socket opens: 96

Socket closes: 96

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 3

Total Packets Sent: 96

Total Packets Recv: 0

am using the same TACACS server for all the switches and don't have any problem with the access layer switches. on the distribution and core switches that i am facing problem now, can be reached using diffrent IP addresses configured to be accessed from diffent VLAN segments.. Will that cause a problem?

thanks again!

Collin Clark Thu, 08/07/2008 - 05:15
User Badges:
  • Purple, 4500 points or more

Check your ACS logs under Failed Attempts, there should be some failures in there with a reason.

itssnsu07 Fri, 08/08/2008 - 04:19
User Badges:

there is no entry regarding the swiches in the failed attempt. i see failed attempts about the other Access layer switches.

BTW, these are Distribution and Core switches having more than one interface IP.

Thank You again!


Collin Clark Fri, 08/08/2008 - 05:09
User Badges:
  • Purple, 4500 points or more

what interface(s) are you permitting in ACS? ALl the distribution and core interfaces? Just the loopback?

itssnsu07 Fri, 08/08/2008 - 05:54
User Badges:

We didn't configure interface IP on the loopback, on the ACS the Interface VLAN1 IP as well as standby IP used with HSRP is specified.



Collin Clark Fri, 08/08/2008 - 06:07
User Badges:
  • Purple, 4500 points or more

OK, on the switch try this-

Router(config)# ip tacacs source interface vlan 1

You can remove the loopback command I asked you to enter earlier. Let us know what happens!

Router(config)#no ip tacacs source loopback0

itssnsu07 Mon, 08/11/2008 - 01:05
User Badges:

Thank You Again,

i did make the change on two set of switches which are HSRP configured, on both pair, it works only on one switch. that is from HSRP configured set only one switch is being authenticated by the ACS. what additional change do i need to make?

BY the Way,

what i tested on another switch is i entered all interface IP on the ACS and it is working but on these two distribution switches i do have more than 30 interfaces which is difficult to manually enter on the ACS.

Thank You again and regards,


Collin Clark Mon, 08/11/2008 - 05:10
User Badges:
  • Purple, 4500 points or more

You need to source TACACS from an interface. Best practices is from a loopback, because it's always up and reachable. You then enter the loopback address in ACS. If you do that, you can access your distro and core switches.

itssnsu07 Tue, 08/12/2008 - 05:23
User Badges:

Thank You for time Collin,

the problem in our case is we have not assigned IP to the loopback. IP is assigned to the interface VLANs which on Distribution switches are a lot.

the odd thing that i noticed is that, i applied the configuration you recommended, " ip tacacs source-interface Vlan1", on two redundant switches using HSRP(i.e. four switches),of which one switch from each pair is being successfully authenticated by ACS. the other two with same configuration still have problem authenticating through the ACS.

What do you say, is my only option to enter the list of interface VLAN IPs that is more than 30 on the ACS ?

Thank You again and Regards,


Collin Clark Tue, 08/12/2008 - 05:38
User Badges:
  • Purple, 4500 points or more

If you source from VLAN 1 and you have three address (one on each switch and the virtual), put all three in ACS. In the long run it will be easier to design and deploy a management network utilizing loopbacks.

itssnsu07 Tue, 08/12/2008 - 08:57
User Badges:

Yes i have put all the three addresses on the ACS , but one switch authenticates through the ACS the other doesn't. even the virtual address doesn't authenticate through ACS.

Thanks again!


Collin Clark Tue, 08/12/2008 - 09:06
User Badges:
  • Purple, 4500 points or more

You have set to source from VLAN 1? What IP is being denied (or unknown) in ACS?

itssnsu07 Wed, 08/13/2008 - 06:22
User Badges:

Thanks for your time Collin,

yes i set it to source interface VLAN1.

on two switches configured with HSRP, i entered the IP address of both switches as well as virtual IP, one of the switch is being authenticated by ACS and the other is not. both have same configuration.

Thank you and Regards,


Collin Clark Thu, 08/14/2008 - 11:38
User Badges:
  • Purple, 4500 points or more

We really need to know what the ACS logs say (specifically under failed attempts).

itssnsu07 Fri, 08/15/2008 - 01:11
User Badges:

Thank You Guys for all your time and support, it all works now!

i configured it with source-Interface VLAN1 on the distribution switches as IP is not assigned to interface loopback, for the others,i entered all interface IPs on the ACS!

Thank You again and Regards,

from Addis,ETHIOPIA


This Discussion