When prompted for user authentication, it won't accept the credentials though it is valid from the ACS database. But when the router is configured for local authentication it works.
i've had the exact same problem (see my post in the AAA forum)
try using radius instead - ie add the router into ACS as a radius client, configure radius authentication on the router and then change to using "group radius" instead of "group tacacs+" in the router aaa config.
this worked for me, but I still haven't been able to get tacacs working and am beginning to suspect its a bug.
I should add - tacacs is working fine for telnet authentication and authorization on the same router.
I did some debugging and it very much looked like the router was receiving the password from the client but not sending it onto ACS. ACS kept replying "GET_PASSWORD"
i fixed this by upgrading to 12.4 - this seems to be a bug in a number of versions of 12.3.
xauth sends the password to the router, but the router doesn't send the password to the tacacs server. this is why you don't get a failed login in the logs.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
