Being new the AAA realm, I'm having some difficulty with getting my client to authenticate to my TACACS+ server. I can however, authenticate via username I've placed in my router config. Both my server and client are setup to utilize TACACS+. Here's my scenario:
My test bed consist of a server (loaded with ACS3.0), a cisco 2621 (client) router and a workstation. All of which are plugged into a hub. My keys on both the client and server are the same. I've created a user and assigned a password. When I try to telnet from my workstation with the password I've created I get the infamous "% authentication failed". Any help with this matter is very much appreciated. Thanks in advance for your help/assistance.
You need to look at the Failed Attempts log on the ACS server to see what it says. Plus you can run "debug aaa authen" and "debug tacacs" on the router and then see what it says (or post the output here and we can look at it for you).
The commands you'll need on the router are (these can change slightly depending on what IOS version):
aaa authentication login default group tacacs
tacacs-server host x.x.x.x key cisco123
Then on the ACS server, go under the Network Configuration section and make sure you add the router in as a NAS, making sure you use the IP address of the closest interface on the router. Then simply go under the User Configuration section and add a user with a password. Should be as simple as that.
If the Failed Attempts log shows "Unknown NAS", then you haven't added the router into the ACS server correctly.
Thanks for your assistance. After looking at the failed attempts and seeing the key mismatch error I looked at my configuration. Specifically, the host and key (as you mentioned). As it turned out, I had two command lines, one specifying the host and the second was the key. After combining the key command with the host command (on one line), I was up and running. Again I thank you.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...