Cisco VPN Client authentication problem with IOS running TACACS

Unanswered Question
Mar 29th, 2006
User Badges:

When prompted for user authentication, it won't accept the credentials though it is valid from the ACS database. But when the router is configured for local authentication it works.

Can someone pls help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.sir Thu, 03/30/2006 - 02:26
User Badges:
  • Gold, 750 points or more

Can you check ACS failed attemts??

try in ACS from left menu - Reports and activity than Failed attepmts

You can find there some error message - it could help you debug problem


Rate useful posts

liamkennedy Fri, 03/31/2006 - 02:50
User Badges:

i've had the exact same problem (see my post in the AAA forum)

try using radius instead - ie add the router into ACS as a radius client, configure radius authentication on the router and then change to using "group radius" instead of "group tacacs+" in the router aaa config.

this worked for me, but I still haven't been able to get tacacs working and am beginning to suspect its a bug.

m.sir Fri, 03/31/2006 - 02:58
User Badges:
  • Gold, 750 points or more

I remember I had similar problems, it was really some bug

solution was following


tacacs-server host

tacacs-server key yourkey


tacacs-server host key yourkey

Hope that helps, rate if it does

liamkennedy Fri, 03/31/2006 - 03:13
User Badges:

didn't work for me

I should add - tacacs is working fine for telnet authentication and authorization on the same router.

I did some debugging and it very much looked like the router was receiving the password from the client but not sending it onto ACS. ACS kept replying "GET_PASSWORD"

liamkennedy Tue, 04/11/2006 - 05:33
User Badges:

i fixed this by upgrading to 12.4 - this seems to be a bug in a number of versions of 12.3.

xauth sends the password to the router, but the router doesn't send the password to the tacacs server. this is why you don't get a failed login in the logs.


This Discussion