FM and DM don't use the AAA by default, they use the snmp credentials on the switch.  What username are you using? Does that username exist on the switch as an snmp user? If so, that is the credentials it using.

When you add a username to a MDS switch it adds the user as an snmp user as well.  If your trying to user username "administrator" for example, and that user exists in AAA as well as locally on the switch, DM/FM will authenticate using the snmp settings on the switch, not AAA.

The only time it will try AAA is if the username does not exist on the switch at all, then DM/FM will telnet to the switch and try to authenticate.

We have created an account on the TACACS+ server and are using that, this account doesn't exist on the switch as a SNMP user. When we switch on Debug Tacacs+ from the CLI , nothing happens when we try to login via DM/FM. We cant see anything from the TACACS server either?

All the TACACS settings can be seen from within DM & FM.

I have enabled and disabled CFS for TACACS and that didn't make any difference.

Anything else I should be looking at?

Thanks

Can you post your AAA/TACACS config?  You said you tried the "test aaa server tacacs+ 1.2.3.4 username password" command and that worked from the CLI?

The 'test aaa server tacacs+ 10.88.2.186 "username" "password"' command works from the CLI no problem. Comes back with 'user has been authenticated'.

Config, where * are the IP Addresses of the servers.

Global TACACS+ shared secret:********
timeout value:10
deadtime value:0
total number of servers:2

following TACACS+ servers are configured:
        *.*.*.*:
                available on port:49
                TACACS+ shared secret:********
                timeout:20
        *.*.*.*:
                available on port:49
                TACACS+ shared secret:********
                timeout:20

Authentication Statistics
        failed transactions: 0
        sucessfull transactions: 35
        requests sent: 35
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Authorization Statistics
        failed transactions: 0
        sucessfull transactions: 28
        requests sent: 28
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Accounting Statistics
        failed transactions: 0
        sucessfull transactions: 187
        requests sent: 187
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

aaa group server tacacs+ TacacsGroup1
aaa authentication login default group TacacsGroup1
aaa authentication login console group TacacsGroup1
aaa accounting default group TacacsGroup1
snmp-server enable traps aaa server-state-change

tacacs+ enable
tacacs-server key 7 "*******************************"
tacacs-server timeout 10
tacacs-server host 10.88.2.186 key 7 "*******************************" timeout 20
tacacs-server host 10.88.2.178 key 7 "*******************************" timeout 20
aaa group server tacacs+ TacacsGroup1
tacacs-server directed-request

Let me know what else you need?

You have "tacacs-server directed-request" enabled.  Are you using this functionality?  What this means is you do not enter "username" at the login prompt, instead you enter "username@servername"  and servername is the TACACS server you wish to send the request to.  If the server does not exist then login is rejected.  Only configured servers may be specified.  If you just send "username" into a MDS configured for directed-request I am not sure if it will use the default group or reject.

Can you confirm what your intended need is, do you need directed-request?

It was just another thing I tried, it didn't work with or without it. I didn't know about this option until I read about it, so I tried it. The problem I have is somebody else looks after the TACACS server. So we are trying from both ends to try and get this to work. As we can't see anything coming from "debug tacacs all" when we try and login, something must be missing in DM/FM but I don't know what?

I also tried "debug aaa auth all" but still nothing, both debug's start to do something when I go through the options for TACACS from within DM/FM using the local login.

Thanks

According to the Fabric Manager config guide:

Note Fabric Manager Server should always monitor fabrics using a local switch account, do not use a AAA
(RADIUS or TACACS+) server. You can use a AAA user account to log into the clients to provision
fabric services. For more information on Fabric Manager Server fabric monitoring, see the “Managing
a Fabric Manager Server Fabric” section on page 3-3.

Make sure you read the FM Config Guide especially the Chapter on setting up "Authentication in Fabric Manager", to make sure your entering the right values to access your fabric.

We don't a Fabric Manager server, we just use a server or workstation that has DM/FM installed. We don't have the Fabric Manager License, does that matter?