10-10-2006 01:12 PM - edited 03-10-2019 02:47 PM
I have a 6509 with a Sup2/MSFC2 running in hybrid mode and I'm trying to use TACACS for authentication/accounting on both the SP and MSFC. For some reason, the MSFC and the ACS don't talk, but the SP works just fine.
The MSFC config is as follows:
aaa new-model
aaa authen login infrastructure group tacacs+ line enable
aaa authen enable infrastructure group tacacs+ enable
aaa authen default tacacs+ line enable
aaa accoun exec infrastructure start-stop tacacs+
aaa accoun command 15 infrastructure stop-only tacacs+
aaa accoun system stop-only tacacs+
!
tacacs-server host 1.1.1.1
tacacs-sercer key cisco
!
line vty 0 4
login authen infrastructure
accoun commands 15 infrastructure
accoun exec infrastructure
!
line con 0
login authen infrastructure
accoun commands 15 infrastructure
accoun exec infrastructure
What's the reason and how do I fix it?
10-11-2006 05:11 AM
Bruce
I would suggest checking first in the TACACS server and looking in the failed attempts report. If the request got to the server (and I would assume that it is not an IP connectivity issue if the sup works fine) and was not authenticated there should be an entry in the failed attempts report. This would identify what the problem is.
I am going to take a guess at the problem without benefit of knowing what is in the failed attempts report. My guess is that the MSFC is not sourcing its requests from the IP address that is configured in the TACACS server. This might be a configuration error, but is also possibly that the MSFC has more than one interface that can get to the server and it is choosing to use an interface other than the one that was configured on the server. The solution to this issue is to use the ip tacacs source-address command in the MSFC config and specify which address the MSFC should use as the source address.
If that is not the issue then please tell us what is in the failed attempts report.
HTH
Rick
10-11-2006 09:47 AM
You were 100% correct! The switch was using a different source address from the one configured in ACS.
Thanks for that ip tacacs source-int command as well. It has proved most useful.
10-11-2006 10:05 AM
Bruce
I am glad that my suggestion was able to solve your problem.
Thanks for posting back to the forum and indicating that your problem was solved. It helps make the forum more useful when people can read about a problem and can see what the solution to the problem turned out to be.
HTH
Rick
10-11-2006 07:04 PM
First things to try:
1) make sure the MSFC is using the IP address that is configured in ACS:
ip tacacs source-interface
Ideally a loopback interface,
2) check connectivity with the ACS server: (Assuming loopback0 is used in 1)
ping ip 1.1.1.1 source loopback0
3) Check the ACS log: http://ACSserver/
Reports and Activity
-> Failed Attempts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide