Configure AAA TACACS+ with ACS

Unanswered Question
Oct 17th, 2008
User Badges:

I want to authenticate telnet connections with TACACS +.

This is my router configuration settings:

aaa new-model

aaa authentication login telnetssh group tacacs+ enable local


aaa session-id common

tacacs-server host

tacacs-server host

tacacs-server directed-request

tacacs-server key superclave

line vty 0 4

password CISCO

logging synchronous

login authentication telnetssh

transport input ssh


no cns aaa enable

The configuration in the ACS 4.1 is very simple, just set the following




User Setup:

Password Autehntication -> ACS Internal Database

PAP password/password

Group to which the user is assigned -> Grupo 1

Callback -> User group setting

Client IP Address Assignement -> Use group setting

Account Disable -> Never

Advanced TACACS+ Settings

TACACS+ Enable Control: -> Use Group Level Setting

TACACS+ Enable Password -> Use CiscoSecure PAP password



Group Setup: Grupo 1

All default, except:


Choice: Shell (exec)

Shell Command Authorization Set -> None


In Network Configuration create a new client AAA

AAA client IP Address -> "ip_router"

Shared Secret superclave

Authenticate Using => TACACS + (Cisco IOS)


It doesn't work. What may be happening? Missing settings in the ACS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Fri, 10/17/2008 - 09:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


My first guess at the problem is that the address used in ACS for the client does not match the source address used by the device when it sends the authentication request. If that is the case then you can use the command ip tacacs source-interface to specify the address on the device that matches the configuration of ACS.

The best way to check on this is to look in ACS at the failed attempts report. If you check the failed attempts report do you see the attempts from this device? If so the report will indicate what the error is.



Jagdeep Gambhir Mon, 10/20/2008 - 05:01
User Badges:
  • Red, 2250 points or more

Yes, as suggested by Rick please issue ip tacacs source interface command. This command is required for layer 3 device.

Even if you don't see any hits in acs failed attempts then also issue this command. Sometimes acs do not logs any message in failed attempts.



Do rate helpful posts


This Discussion