Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.0 (newby)

Being new the AAA realm, I'm having some difficulty with getting my client to authenticate to my TACACS+ server. I can however, authenticate via username I've placed in my router config. Both my server and client are setup to utilize TACACS+. Here's my scenario:

My test bed consist of a server (loaded with ACS3.0), a cisco 2621 (client) router and a workstation. All of which are plugged into a hub. My keys on both the client and server are the same. I've created a user and assigned a password. When I try to telnet from my workstation with the password I've created I get the infamous "% authentication failed". Any help with this matter is very much appreciated. Thanks in advance for your help/assistance.



Cisco Employee

Re: ACS 3.0 (newby)

You need to look at the Failed Attempts log on the ACS server to see what it says. Plus you can run "debug aaa authen" and "debug tacacs" on the router and then see what it says (or post the output here and we can look at it for you).

The commands you'll need on the router are (these can change slightly depending on what IOS version):

aaa new-model

aaa authentication login default group tacacs

tacacs-server host x.x.x.x key cisco123

Then on the ACS server, go under the Network Configuration section and make sure you add the router in as a NAS, making sure you use the IP address of the closest interface on the router. Then simply go under the User Configuration section and add a user with a password. Should be as simple as that.

If the Failed Attempts log shows "Unknown NAS", then you haven't added the router into the ACS server correctly.

Community Member

Re: ACS 3.0 (newby)


Thanks for your assistance. After looking at the failed attempts and seeing the key mismatch error I looked at my configuration. Specifically, the host and key (as you mentioned). As it turned out, I had two command lines, one specifying the host and the second was the key. After combining the key command with the host command (on one line), I was up and running. Again I thank you.



CreatePlease to create content