Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
5
Helpful
4
Replies

TACACS does not respond

bruce.stanton
Level 1
Level 1

‎10-10-2006 01:12 PM - edited ‎03-10-2019 02:47 PM

I have a 6509 with a Sup2/MSFC2 running in hybrid mode and I'm trying to use TACACS for authentication/accounting on both the SP and MSFC. For some reason, the MSFC and the ACS don't talk, but the SP works just fine.

The MSFC config is as follows:

aaa new-model

aaa authen login infrastructure group tacacs+ line enable

aaa authen enable infrastructure group tacacs+ enable

aaa authen default tacacs+ line enable

aaa accoun exec infrastructure start-stop tacacs+

aaa accoun command 15 infrastructure stop-only tacacs+

aaa accoun system stop-only tacacs+

!

tacacs-server host 1.1.1.1

tacacs-sercer key cisco

!

line vty 0 4

login authen infrastructure

accoun commands 15 infrastructure

accoun exec infrastructure

!

line con 0

login authen infrastructure

accoun commands 15 infrastructure

accoun exec infrastructure

What's the reason and how do I fix it?

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎10-11-2006 05:11 AM

Bruce

I would suggest checking first in the TACACS server and looking in the failed attempts report. If the request got to the server (and I would assume that it is not an IP connectivity issue if the sup works fine) and was not authenticated there should be an entry in the failed attempts report. This would identify what the problem is.

I am going to take a guess at the problem without benefit of knowing what is in the failed attempts report. My guess is that the MSFC is not sourcing its requests from the IP address that is configured in the TACACS server. This might be a configuration error, but is also possibly that the MSFC has more than one interface that can get to the server and it is choosing to use an interface other than the one that was configured on the server. The solution to this issue is to use the ip tacacs source-address command in the MSFC config and specify which address the MSFC should use as the source address.

If that is not the issue then please tell us what is in the failed attempts report.

HTH

Rick

HTH

Rick

bruce.stanton
Level 1
Level 1
In response to Richard Burts

‎10-11-2006 09:47 AM

You were 100% correct! The switch was using a different source address from the one configured in ACS.

Thanks for that ip tacacs source-int command as well. It has proved most useful.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to bruce.stanton

‎10-11-2006 10:05 AM

Bruce

I am glad that my suggestion was able to solve your problem.

Thanks for posting back to the forum and indicating that your problem was solved. It helps make the forum more useful when people can read about a problem and can see what the solution to the problem turned out to be.

HTH

Rick

HTH

Rick
0 Helpful

juagonza
Cisco Employee
Cisco Employee

‎10-11-2006 07:04 PM

First things to try:

1) make sure the MSFC is using the IP address that is configured in ACS:

ip tacacs source-interface

Ideally a loopback interface,

2) check connectivity with the ACS server: (Assuming loopback0 is used in 1)

ping ip 1.1.1.1 source loopback0

3) Check the ACS log: http://ACSserver/

Reports and Activity

-> Failed Attempts

0 Helpful
Customers Also Viewed These Support Documents