Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

aaa config question

I have configured aaa on two routers. When I telnet into them, one works fine with the ACS server. The other router returns a password prompt (enable secret). Both configs appear to have same aaa code. Is this an aaa issue?

New Member

Re: aaa config question


TACACS+ Operation

Three possible activities can be performed during TACACS+ operation. The first operation performed is authentication. This is done to clearly identify the user. The second operation is authorization and is possible only once a user has been identified. Therefore, you must authenticate prior to authorizing. The third operation is accounting. The accounting process keeps track of actions performed. The three processes are each independent of the other.

TACACS+ and Authentication

When authentication is performed in TACACS+, three distinct packet exchanges take place. The three types of packets are

START This packet is used initially when the user attempts to connect.

REPLY Sent by the AAA server during the authentication process.

CONTINUE Used by the AAA client to return username and password to the AAA server

START and CONTINUE packets are always sent by the AAA client, and REPLY packets are always sent by the TACACS+ server

New Member

Re: aaa config question

Thank you! I am seeing the failed attempt on the ACS server. However, since the Uname prompt is never seen on the rtr, it appears the REPLY is not making it from ACS to rtr.

Note: The failed attempt is instantaneous on the ACS server, no lengthy timeout. I can trace route from ACS to rtr without issue. Any thoughts?

New Member

Re: aaa config question

Issue was fixed by extending the aaa client IP address on ACS server.

Re: aaa config question

Other way can be to use ip tacacs source -interface command on the router. So that, router will always use that specific interface to send tacacs packets.

Where interface would be the IP that is mentioned in acs, aaa-clients

It is recommended to use this command on layer 3 devices.



CreatePlease to create content