Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tacacs and GRE Tunnel

Tacacs authentication doesn't work after passing thru GRE tunnel with Crypto map.

6 REPLIES
Cisco Employee

Re: Tacacs and GRE Tunnel

We need more information than that please if we're going to help you.

What version of router code on both sides? Can you ping to the TACACS server over the tunnel with all different sizes of packets (up to and including 1500bytes)? What does the log on the ACS server say, anything in Failed Attempts or Passed Authentications? Are you sure you're sourcing the TACACS packets from the same interface as the IP address you have entered in as the NAS on the ACS server (check for Unknown NAS errors in the Failed Attempts log)?

New Member

Re: Tacacs and GRE Tunnel

OK - here is some more info:

router versions local 12.2(6b) remote 12.2(5d)

Ping sweep min to max OK

ACS message "Unknown NAS"

Source address is serial int of remote router in ACS device config

debug aaa on remote router shows a TAC+ send authen/start

then it has status "error" - then drops to line authentication

Thanks...

Cisco Employee

Re: Tacacs and GRE Tunnel

OK, thanks.

If you're getting Unknown NAS in ACS, then the TACACS packet is being sourced with a different router address than what you entered in ACS for that NAS. You should be able to see what address the router is using by looking at the Unknown NAS error message. you can either then add that address is for the NAS, or use the "ip tacacs source-interface ..." command to specify what address the router uses.

New Member

Re: Tacacs and GRE Tunnel

The "ip tacacs source-interface" resolved the issue...

New Member

Re: Tacacs and GRE Tunnel

I had a similar problem where the router was on the end of a GRE tunnel and could ping the ACS (tacacs) server but could not use it for authentication. The "ip tacacs source-interface" command resolved my problem.

Cheers,

Ben.

Re: Tacacs and GRE Tunnel

Hello All, [Pls Rate if HELPS]

In addition,

Normally in the CRYPTO Configuration the Crypto Sessions will be formed with some Private Loopback available in the Configuration.

Since the TACACS Server will be in the same domain, so the "ip tacacs source-interface" command solved the problem of Urs.

The Crypto Originating LOCAL Interface at SPOKE Location, should be normally used for tacacs Source Interface in a general scenario.

Hope I am Informative.

Pls Rate if HELPS

Best Regards,

Guru Prasad R

224
Views
11
Helpful
6
Replies
CreatePlease login to create content