tacacs not using vpn tunnel

Unanswered Question
May 27th, 2009

this is my AAA config;

aaa authentication login default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated local

aaa accounting connection default start-stop group tacacs+

aaa session-id common

tacacs-server host key ************

The ip address if the acs server (99.97) is an internal IP. When I set the internal IP as the tacacs source, the authentication fails over to the enable password.

Here is the tacacs debug;

01:33:57: TPLUS: Queuing AAA Authentication request 2 for processing

01:33:57: TPLUS: processing authentication start request id 2

01:33:57: TPLUS: Authentication start packet created for 2()

01:33:57: TPLUS: Using server

01:33:57: TPLUS(00000002): Select released but nopeername.. Failover

01:34:00: TPLUS: Queuing AAA Authorization request 2 for processing

01:34:00: TPLUS: processing authorization request id 2

01:34:00: TPLUS: Sending AV service=shell

01:34:00: TPLUS: Sending AV cmd*

01:34:00: TPLUS: Authorization request created for 2()

01:34:00: TPLUS: Using server

01:34:01: TPLUS(00000002): Select released but nopeername.. Failover

If I change the tacacs source to the outside IP of the acs server then I authenticate with acs just fine. I use the same config on a few 1841/61's as well as a couple 2800, all of which are using the internal ip of my acs server.

Where should I be looking to figure this out?

Thanks, Richard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Richard Burts Thu, 05/28/2009 - 09:48


If I am understanding your situation correctly then the issue is that the source address that you specify on your device must match the address configured in the TACACS server for that client. If you authenticate ok when you specify the outside address then obviously this is the address configured in TACACS. And so if you specify a different address as the source then it no longer matches the address configured on the server.



richardcalvert Thu, 05/28/2009 - 09:55

The source address for the device is the same address listed in the tacacs server. The problem I'm having is with the tacacs server IP not the source IP. I'm using a perimiter server (for tacacs) that has both an internal and an external IP. The way I have most of my aaa traffic flowing is through vpn from the device to the tacacs server on the servers internal IP. I'm unable to make this happen with the 1700's thus far, they only communicate with the tacacs server when I tell the device to use the tacacs servers external IP address.

Thanks for helping out :)


This Discussion