ACS Express Tacacs+ authentication issues

Unanswered Question
Aug 24th, 2010

hi All,

I am trying to do a simple switch TACACS+ authentication via the ACS Express.

ACS Express - 5.0

IP address (

Core Switch - Catalyst 4948

vlan 1 (

vlan 10 (

Access Switch - Catalyst 3560

vlan 1 (

Problem statement:

On ACS Express:

-core switch device is being created using the ip

-access switch device is being creted using ip

Unfortunately i am unable to authenticate. It shows authentication failed when i tried to login to both core & access switches.

-Tried to change the core switch device ip to, it seems to work - when i telnet to both &


- ACS Express seems to ONLY understands device that belongs to its own subnet i.e /24 network.

- Ip routing has been enabled on core switch and both 192 & 172 network are pingable

Below is the TACACS config on both core & access switch

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+


tacacs-server host
tacacs-server directed-request
tacacs-server key 1234567

Did i miss out any major config~?

It seems failproof to me but cant understand why it is not accessible via diff subnet 192.100.100.x ip

PLease advice


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ighovwerha Tue, 08/24/2010 - 00:59

can you ping your acs from the core device when the IP are still as they were initially? If you can't then?

I suppose your acs is connected to you access switch:

my configs would be?

ACS Express - 5.0

IP address (   connected to fa0/1 on access switch

Access Switch - Catalyst 3560

interface vlan 11 (

interface fa0/1 : switchport access vlan 10

                       switchpor mo access

interface fa0/23: switchport mode truk

                        switchport trun encap dot1q

interface vlan 10 :

Core Switch - Catalyst 4948

interface vlan 11 (

interface vlan 10 (

interface fa0/23 : switchport mode trunk

                         switchport trunk encap dot1q

router rip

ver 2

no aut

net vlan 11

net vlan 10

NOTE: I decided not to use vlan 1 so that all unknown traffic still flows through vlan 1.

I hope this helps.


This Discussion