aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated local
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host 184.108.40.206 key ************
The ip address if the acs server (99.97) is an internal IP. When I set the internal IP as the tacacs source, the authentication fails over to the enable password.
Here is the tacacs debug;
01:33:57: TPLUS: Queuing AAA Authentication request 2 for processing
01:33:57: TPLUS: processing authentication start request id 2
01:33:57: TPLUS: Authentication start packet created for 2()
01:33:57: TPLUS: Using server 220.127.116.11
01:33:57: TPLUS(00000002): Select released but nopeername.. Failover
01:34:00: TPLUS: Queuing AAA Authorization request 2 for processing
01:34:00: TPLUS: processing authorization request id 2
01:34:00: TPLUS: Sending AV service=shell
01:34:00: TPLUS: Sending AV cmd*
01:34:00: TPLUS: Authorization request created for 2()
01:34:00: TPLUS: Using server 18.104.22.168
01:34:01: TPLUS(00000002): Select released but nopeername.. Failover
If I change the tacacs source to the outside IP of the acs server then I authenticate with acs just fine. I use the same config on a few 1841/61's as well as a couple 2800, all of which are using the internal ip of my acs server.
If I am understanding your situation correctly then the issue is that the source address that you specify on your device must match the address configured in the TACACS server for that client. If you authenticate ok when you specify the outside address then obviously this is the address configured in TACACS. And so if you specify a different address as the source then it no longer matches the address configured on the server.
The source address for the device is the same address listed in the tacacs server. The problem I'm having is with the tacacs server IP not the source IP. I'm using a perimiter server (for tacacs) that has both an internal and an external IP. The way I have most of my aaa traffic flowing is through vpn from the device to the tacacs server on the servers internal IP. I'm unable to make this happen with the 1700's thus far, they only communicate with the tacacs server when I tell the device to use the tacacs servers external IP address.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...