this is my AAA config;
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated local
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host 126.96.36.199 key ************
The ip address if the acs server (99.97) is an internal IP. When I set the internal IP as the tacacs source, the authentication fails over to the enable password.
Here is the tacacs debug;
01:33:57: TPLUS: Queuing AAA Authentication request 2 for processing
01:33:57: TPLUS: processing authentication start request id 2
01:33:57: TPLUS: Authentication start packet created for 2()
01:33:57: TPLUS: Using server 188.8.131.52
01:33:57: TPLUS(00000002): Select released but nopeername.. Failover
01:34:00: TPLUS: Queuing AAA Authorization request 2 for processing
01:34:00: TPLUS: processing authorization request id 2
01:34:00: TPLUS: Sending AV service=shell
01:34:00: TPLUS: Sending AV cmd*
01:34:00: TPLUS: Authorization request created for 2()
01:34:00: TPLUS: Using server 184.108.40.206
01:34:01: TPLUS(00000002): Select released but nopeername.. Failover
If I change the tacacs source to the outside IP of the acs server then I authenticate with acs just fine. I use the same config on a few 1841/61's as well as a couple 2800, all of which are using the internal ip of my acs server.
Where should I be looking to figure this out?