Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Tacacs+ authentication errors

I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Tacacs+ authentication errors

Ohh, so its SE that is not working.

Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

Regards,

~JG

9 REPLIES

Re: Tacacs+ authentication errors

This seems to be a key mismatch. Please note that if you have NDG key also configured that can cause key mismatch.

Imp: NDG key overwrites aaa-client key.

Please use the same key for NDG and client or simply remove the NDG key.

Regards,

~JG

Do rate helpful posts

New Member

Re: Tacacs+ authentication errors

I did match all the keys, but just tried deleting the NDG key and retest and got the same results. Switch comes back with % Backup authentication.

Also note that in the failed attempts report, I can change the keys, so they don't match, and get an Authentication Failed key mismatch entry in the report. When the keys match there is no entry in the failed attempts report and no entry in the passed authentications report. Tacacs+ accounting report shows an entry for the username I am using and shows start acct flag and service shell.

Re: Tacacs+ authentication errors

In layer 3 devices, other then normal aaa commands, we also need to define tacacs source interface so that it uses only that interface for sending tacacs request to acs.

AAA-Switch(config)#ip tacacs source-interface (vlan or loopback or gigabit interface)

In above command we need to define the interface that is listed in acs--->network configuration--->Router.

Regards,

~JG

New Member

Re: Tacacs+ authentication errors

Here is the config I have on the switch. (sorry should have sent this already).

aaa new-model

aaa authentication login default group tacacs+ none

aaa authentication login no_aaa none

aaa authorization exec default group tacacs+ none

aaa authorization exec no_aaa none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization commands 15 no_aaa none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

!

interface VLAN1

ip address 10.200.1.16 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip tacacs source-interface VLAN1

!

tacacs-server host 10.200.35.250

tacacs-server key cisco

!

line con 0

authorization commands 15 no_aaa

authorization exec no_aaa

login authentication no_aaa

transport input none

stopbits 1

line vty 5 15

!

New Member

Re: Tacacs+ authentication errors

Any other ideas?

As a test, I set up a Windows server and installed ACS 4.1(2) Build 23 on it. Put same config as on SE and it works. I have checked the config on both the Windows and the SE and they are the same from what I can tell.

Please help!!

Re: Tacacs+ authentication errors

Do you have dual NIC on acs windows ?

Regards,

~JG

New Member

Re: Tacacs+ authentication errors

Yes, but I am only using one. We have fully tested Radius and Tacacs+ on the Windows ACS and everything is working perfectly. Can't figure out why the SE's will not.

Re: Tacacs+ authentication errors

Ohh, so its SE that is not working.

Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

Regards,

~JG

New Member

Re: Tacacs+ authentication errors

That did it!!

Thank you!

Darren

337
Views
0
Helpful
9
Replies
CreatePlease to create content