hi All,
I am trying to do a simple switch TACACS+ authentication via the ACS Express.
ACS Express - 5.0
IP address (172.16.4.10)
Core Switch - Catalyst 4948
vlan 1 (192.100.100.1)
vlan 10 (172.16.4.1)
Access Switch - Catalyst 3560
vlan 1 (192.100.100.2)
Problem statement:
On ACS Express:
-core switch device is being created using the ip 192.100.100.1
-access switch device is being creted using ip 192.100.100.2
Unfortunately i am unable to authenticate. It shows authentication failed when i tried to login to both core & access switches.
-Tried to change the core switch device ip to 172.16.4.1, it seems to work - when i telnet to both 172.16.4.1 & 192.100.100.1
*suspect*
- ACS Express seems to ONLY understands device that belongs to its own subnet i.e 172.16.4.0 /24 network.
- Ip routing has been enabled on core switch and both 192 & 172 network are pingable
Below is the TACACS config on both core & access switch
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
!
tacacs-server host 172.16.4.10
tacacs-server directed-request
tacacs-server key 1234567
Did i miss out any major config~?
It seems failproof to me but cant understand why it is not accessible via diff subnet 192.100.100.x ip
PLease advice
Jocelyn