02-23-2018 05:44 AM - edited 03-08-2019 02:00 PM
I re-ip sub-interface g0/0.1 from let's say 192.168.0.1 to 10.10.10.1. Now device no longer authenticates to TACACs and it did with no issues before. Server IS STILL pingable. Any help? See applicable configs below.
aaa new-model
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface g0/2
ip tacacs server host 192.168.0.50
ip tacacs-server key 7 XXXXXXXXX
02-23-2018 06:17 AM
ip tacacs source-interface g0/2
Is the source still g0/2?
HTH
02-23-2018 07:36 AM
02-23-2018 07:49 AM
If the configured source interface for TACACS is g0/2 then when you ping the server to test reachability are you specifying the source address of the ping as g0/2?
HTH
Rick
02-23-2018 06:25 AM
I have two questions:
1) what are 192.168.0.1 and 10.10.10.1?
2) the original poster says " Now device no longer authenticates to TACACs and it did with no issues before" so what changed?
HTH
Rick
02-23-2018 07:36 AM
02-23-2018 06:26 AM
Post the full config. Is the tacacs server reachable from 10.10.10.1 ?
02-23-2018 09:45 AM
02-23-2018 09:55 AM
If you changed an interface address but it was not the interface used as the source for communication with the TACACS server, and if the TACACS server is pingable using G0/2 as the source then I am puzzled at why it does not work. I suggest turning on debug for aaa authentication and debug for tacacs, attempt to authenticate and post the debug output. It might also be helpful if you post the output of show tacacs.
HTH
Rick
02-23-2018 10:27 AM
Does the tacacs server have an "allowed" list for devices trying to reach the TACACS service?
02-23-2018 10:45 AM
Whether the tacacs server has an allowed list is a reasonable question, and I look forward to the response from the original poster. Given what is reported so far
- the device was successful in authenticating with tacacs
- an interface IP was changed
- the interface that changed is not the interface configured as the source for tacacs
it seems reasonable to assume that the response from the original poster will be that an allowed list is not the problem here.
HTH
Rick
02-23-2018 11:10 AM
02-23-2018 12:52 PM
I had missed the relationship that the "old" interface address was in the same subnet as the tacacs server. Originally the server would have been seen as a locally connected device and now it is a remote resource. At first I thought this might explain the problem. But with the tacacs source interface configured the tacacs request would still have the same source address. And the original poster tells us that the tacacs server is still pingable. So the change from locally connected to remotely connected does not seem to be directly the cause of the problem. Though it does raise the possibility that something on the routed path to the tacacs server has some policy that is allowing ping to the server but not allowing tacacs requests to go through.
I agree that we need a better understanding of what is going on with the tacacs server. What does the router report about the state of tacacs? And what do the logs on the server say about attempts from this router?
HTH
Rick
02-23-2018 01:24 PM
02-23-2018 01:55 PM
Thanks for the additional information. The number of failed connection attempts does seem to indicate that we are having problems communicating with the server. I am quite puzzled why traceroute would fail after the first hop if ping succeeds.
You say that the device at the first hop is the connecting router. Does that router also authenticate using tacacs? Does it use the same address for tacacs as the router in question here? If you traceroute from the connecting router to the tacacs server what results do you get?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide