Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issue with tacacs authentication


I am having an issue and looking for some ideas on what to check next.  All ip's and any identifying numbers have been change to protect the get the point.

I have a 6500 series switch that for some reason will not authenticate to the tacacs server.  When you try, you get a password authentication failure.  However, it will let you use the configured username and secret to log in thru ssh.  And the enable secret to get into privileged mode.  Tacacs key is correct, btw.

sorry, i cant post the actual config, but just assume all the aaa commands are correct, the tacacs key is correct, and the ip ssh commands are correct.

we will call the server vlan 300 and the admin vlan 400

the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.

I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work.  I changed the tacacs source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine.  ip routing is turned on.  There are entries for both the server vlan subnet and the admin vlan subnet in the routing table.  There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan. 

Thoughts and idea's will be appreciated.  I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isnt working.  I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN.  I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.



Hall of Fame Super Silver

Issue with tacacs authentication

I've often found it useful to run Wireshark or tcpdump on the TACACS server to verify that the rquests are coming in from the expected source IP. If yes, then it's more likely to be a TACACS server setup issue. If no, it's more likely a device configuration or routing issue.

Since you've said you can't ping using the admin source interface, you most likely have a routing issue.

Do an extended traceroute from the problem 6500 ("traceroute" without any parameters and then specify source ip of admin interface) to see where the packets are dying.