05-27-2009 08:47 AM - edited 03-10-2019 04:30 PM
this is my AAA config;
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated local
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host 201.0.99.97 key ************
The ip address if the acs server (99.97) is an internal IP. When I set the internal IP as the tacacs source, the authentication fails over to the enable password.
Here is the tacacs debug;
01:33:57: TPLUS: Queuing AAA Authentication request 2 for processing
01:33:57: TPLUS: processing authentication start request id 2
01:33:57: TPLUS: Authentication start packet created for 2()
01:33:57: TPLUS: Using server 201.0.99.97
01:33:57: TPLUS(00000002): Select released but nopeername.. Failover
01:34:00: TPLUS: Queuing AAA Authorization request 2 for processing
01:34:00: TPLUS: processing authorization request id 2
01:34:00: TPLUS: Sending AV service=shell
01:34:00: TPLUS: Sending AV cmd*
01:34:00: TPLUS: Authorization request created for 2()
01:34:00: TPLUS: Using server 201.0.99.97
01:34:01: TPLUS(00000002): Select released but nopeername.. Failover
If I change the tacacs source to the outside IP of the acs server then I authenticate with acs just fine. I use the same config on a few 1841/61's as well as a couple 2800, all of which are using the internal ip of my acs server.
Where should I be looking to figure this out?
Thanks, Richard
05-28-2009 09:48 AM
Richard
If I am understanding your situation correctly then the issue is that the source address that you specify on your device must match the address configured in the TACACS server for that client. If you authenticate ok when you specify the outside address then obviously this is the address configured in TACACS. And so if you specify a different address as the source then it no longer matches the address configured on the server.
HTH
Rick
05-28-2009 09:55 AM
The source address for the device is the same address listed in the tacacs server. The problem I'm having is with the tacacs server IP not the source IP. I'm using a perimiter server (for tacacs) that has both an internal and an external IP. The way I have most of my aaa traffic flowing is through vpn from the device to the tacacs server on the servers internal IP. I'm unable to make this happen with the 1700's thus far, they only communicate with the tacacs server when I tell the device to use the tacacs servers external IP address.
Thanks for helping out :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide