I am having difficulty with TACACS+ authentication to the HTTP service running on IOS-based switches.
The TACACS+ server is Secure ACS Express (the appliance) running Build 220.127.116.11.
The IOS configuration is:
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
ip http authentication aaa login-authentication default
ip tacacs source-interface Loopback0
tacacs-server host nnn.nnn.nnn.nnn
tacacs-server key 7 keyhash
This works as expected against 38xx routers running IOS 12.4(3g). It fails against 3560 switches running IOS 12.2(40)SE or 4507 switches running IOS 12.2(31)SGA10, even though the TACACS+ server's authentication report indicates that it sent a "Passed", and the switch's debug log shows this as the last TACACS response before throwing me a "401 Unauthorized"
10741001: Jul 26 09:44:56.474 EDT: TPLUS(00000000)/0/1A8BC9B0: Processing the reply packet
10741002: Jul 26 09:44:56.474 EDT: TPLUS: Processed AV priv-lvl=15
10741003: Jul 26 09:44:56.474 EDT: TPLUS: Processed AV timeout=60
10741004: Jul 26 09:44:56.474 EDT: TPLUS: Processed AV idletime=10
10741005: Jul 26 09:44:56.474 EDT: TPLUS: received authorization response for 0: PASS
SSH access with TACACS+ authentication against the same switches from the same client using the same credentials works as expected.