Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
It's actually an ACS Solution Engine I'm using so i'm not even sure how to get a command prompt on it...
However I am already using it to authenticate telnet access onto the same router, and this works fine with the same username, so I'm fairly satisfied that Tacacs packets are making it there and back (router debug also confirms this)
here you go - i've currently got it set to check local login first then fall back to Tacacs, but previously had it set to just "group tacacs+" without success - local login works fine for the vpn, and tacacs auth works for accessing the router itself.
aaa authentication login default group tacacs+ local
aaa authentication login userauthen local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network groupauthor local
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
just going to bump this thread with a bit of additional information
i switched to using RADIUS with *exactly* the same setup (same router, same ACS server, same username) and it worked first time. All I did was add the router into ACS as a Radius (IOS\PIX) device, so it's now got 2 device entries.
however I still would prefer to get Tacacs working as all the devices I want to use this with are already configured as tacacs clients for telnet access.
#aaa authentication login userauthen local group radius - WORKS
#aaa authentication login userauthen local group tacacs+ - DOESN'T WORK
all other config remains the same and I can successfully telnet onto the device using Tacacs.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...