Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot login into Router using TACACS+

Hello,

I cannot log into my OSPF router using TACACS+ below are the debug messages

.Mar 16 16:20:29: TPLUS(0000004F)/0/NB_WAIT/661E1170: timed out, clean up

.Mar 16 16:20:29: TPLUS(0000004F)/0/661E1170: Processing the reply packet

.Mar 16 16:24:46: TAC+: Using default tacacs server-group "TACACS-SERVERS" list.

.Mar 16 16:24:46: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

.Mar 16 16:24:51: TAC+: TCP/IP open to x.x.x.x/49 failed -- Connection timed out; remote host not responding

.Mar 16 16:24:51: TPLUS: Queuing AAA Accounting request 75 for processing

.Mar 16 16:24:51: TPLUS: processing accounting request id 75

.Mar 16 16:24:51: TPLUS: Sending AV task_id=627

.Mar 16 16:24:51: TPLUS: Sending AV timezone=EDT

.Mar 16 16:24:51: TPLUS: Sending AV service=shell

.Mar 16 16:24:51: TPLUS: Sending AV start_time=1331929491

.Mar 16 16:24:51: TPLUS: Sending AV priv-lvl=1

.Mar 16 16:24:51: TPLUS: Sending AV cmd=show logging <cr>

.Mar 16 16:24:51: TPLUS: Accounting request created for 75(backup)

.Mar 16 16:24:51: TPLUS: Using server x.x.x.x .Mar 16 16:20:29: TPLUS(0000004F)/0/NB_WAIT/661E1170: timed out, clean up
.Mar 16 16:20:29: TPLUS(0000004F)/0/661E1170: Processing the reply packet
.Mar 16 16:24:46: TAC+: Using default tacacs server-group "TACACS-SERVERS" list.
.Mar 16 16:24:46: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
.Mar 16 16:24:51: TAC+: TCP/IP open to x.x.x.x/49 failed -- Connection timed out; remote host not responding
.Mar 16 16:24:51: TPLUS: Queuing AAA Accounting request 75 for processing
.Mar 16 16:24:51: TPLUS: processing accounting request id 75
.Mar 16 16:24:51: TPLUS: Sending AV task_id=627
.Mar 16 16:24:51: TPLUS: Sending AV timezone=EDT
.Mar 16 16:24:51: TPLUS: Sending AV service=shell
.Mar 16 16:24:51: TPLUS: Sending AV start_time=1331929491
.Mar 16 16:24:51: TPLUS: Sending AV priv-lvl=1
.Mar 16 16:24:51: TPLUS: Sending AV cmd=show logging <cr>
.Mar 16 16:24:51: TPLUS: Accounting request created for 75(backup)
.Mar 16 16:24:51: TPLUS: Using server x.x.x.x

I have comfirmed the IP on the server. The router can ping the TACACS+ server and telnet over port 49. I have confirmed the ip has a route. I have deleted / readded the entry on the ACS server. I have verfiied the TACACS+ key several times.

2 REPLIES

Cannot login into Router using TACACS+

What version code is running on your router and what version of ACS are you running? Is this a new installation or did this start all of a sudden?

Also what is the source interface for the tacacs request? You may need to specify the source interface to send the tacacs request from.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
Silver

Cannot login into Router using TACACS+

Hi Nicholas,

As Tarik wrote, be sure that the remote server is aware of the source-interface configured on the router.

Can you try to telnet to the server?

telnet 1.1.1.1 49 /source-interface

You should be able to see "CONNECT".

You can also try to use the test aaa command, and see if your user get successfully authenticated.

'test aaa group tacacs legacy'

Regards

Marco

998
Views
5
Helpful
2
Replies