Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VPN Client authentication problem with IOS running TACACS

When prompted for user authentication, it won't accept the credentials though it is valid from the ACS database. But when the router is configured for local authentication it works.

Can someone pls help

5 REPLIES
Gold

Re: Cisco VPN Client authentication problem with IOS running TAC

Can you check ACS failed attemts??

try in ACS from left menu - Reports and activity than Failed attepmts

You can find there some error message - it could help you debug problem

M.

Rate useful posts

New Member

Re: Cisco VPN Client authentication problem with IOS running TAC

i've had the exact same problem (see my post in the AAA forum)

try using radius instead - ie add the router into ACS as a radius client, configure radius authentication on the router and then change to using "group radius" instead of "group tacacs+" in the router aaa config.

this worked for me, but I still haven't been able to get tacacs working and am beginning to suspect its a bug.

Gold

Re: Cisco VPN Client authentication problem with IOS running TAC

I remember I had similar problems, it was really some bug

solution was following

instead

tacacs-server host 10.250.1.21

tacacs-server key yourkey

try

tacacs-server host 10.250.1.21 key yourkey

Hope that helps, rate if it does

New Member

Re: Cisco VPN Client authentication problem with IOS running TAC

didn't work for me

I should add - tacacs is working fine for telnet authentication and authorization on the same router.

I did some debugging and it very much looked like the router was receiving the password from the client but not sending it onto ACS. ACS kept replying "GET_PASSWORD"

New Member

Re: Cisco VPN Client authentication problem with IOS running TAC

i fixed this by upgrading to 12.4 - this seems to be a bug in a number of versions of 12.3.

xauth sends the password to the router, but the router doesn't send the password to the tacacs server. this is why you don't get a failed login in the logs.

377
Views
0
Helpful
5
Replies
CreatePlease to create content