Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
11
Helpful
6
Replies

Tacacs and GRE Tunnel

awairlines
Level 1
Level 1

‎04-01-2003 11:21 AM - edited ‎03-10-2019 07:14 AM

Tacacs authentication doesn't work after passing thru GRE tunnel with Crypto map.

Labels:
0 Helpful
6 Replies 6

gfullage
Cisco Employee
Cisco Employee

‎04-01-2003 04:45 PM

We need more information than that please if we're going to help you.

What version of router code on both sides? Can you ping to the TACACS server over the tunnel with all different sizes of packets (up to and including 1500bytes)? What does the log on the ACS server say, anything in Failed Attempts or Passed Authentications? Are you sure you're sourcing the TACACS packets from the same interface as the IP address you have entered in as the NAS on the ACS server (check for Unknown NAS errors in the Failed Attempts log)?

0 Helpful

awairlines
Level 1
Level 1
In response to gfullage

‎04-02-2003 08:24 AM

OK - here is some more info:

router versions local 12.2(6b) remote 12.2(5d)

Ping sweep min to max OK

ACS message "Unknown NAS"

Source address is serial int of remote router in ACS device config

debug aaa on remote router shows a TAC+ send authen/start

then it has status "error" - then drops to line authentication

Thanks...

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to awairlines

‎04-02-2003 05:20 PM

OK, thanks.

If you're getting Unknown NAS in ACS, then the TACACS packet is being sourced with a different router address than what you entered in ACS for that NAS. You should be able to see what address the router is using by looking at the Unknown NAS error message. you can either then add that address is for the NAS, or use the "ip tacacs source-interface ..." command to specify what address the router uses.

awairlines
Level 1
Level 1
In response to gfullage

‎04-03-2003 08:15 AM

The "ip tacacs source-interface" resolved the issue...

0 Helpful

ben_johnson
Level 1
Level 1
In response to gfullage

‎04-23-2008 06:28 PM

I had a similar problem where the router was on the end of a GRE tunnel and could ping the ACS (tacacs) server but could not use it for authentication. The "ip tacacs source-interface" command resolved my problem.

Cheers,

Ben.

0 Helpful

guruprasadr
Level 7
Level 7
In response to ben_johnson

‎04-27-2008 12:11 PM

Hello All, [Pls Rate if HELPS]

In addition,

Normally in the CRYPTO Configuration the Crypto Sessions will be formed with some Private Loopback available in the Configuration.

Since the TACACS Server will be in the same domain, so the "ip tacacs source-interface" command solved the problem of Urs.

The Crypto Originating LOCAL Interface at SPOKE Location, should be normally used for tacacs Source Interface in a general scenario.

Hope I am Informative.

Pls Rate if HELPS

Best Regards,

Guru Prasad R

Customers Also Viewed These Support Documents