Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy VPN Server and Tacacs


I have a central Easy VPN server with a number of remote sites connecting into it.

At the central site I've got a 2811 with 837's at the remote sites. At the moment I'm authenticating the remote clients on the 2811 - using Xauth with the "save password" facility.

I want to use a central ACS server to manage these clients....using TACACS+. Unfortunatley this does not work. I tried using radius and it works fine - exactly the same aaa setup except replace "Tacacs" with radius....

Something like this: -

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

radius-server host auth-port 1645 acct-port 1646 key XXXXXX

I've got 3 questions: -

1) Is TACACS supported with what I want to do? I can't find any configs on Cisco using this method.

2) I've done some testing...if the 2811 looses site of the AAA server then I want it to default to local authentication. This is not working. Is there something else I need to add to the config to enable this??

3) When the AAA server comes back up, and I pull down all the VPNs, the remote site tunnels don't come back up again. The 2811 sits there trying to Xauth the clients. Is there a timeout/retries that need to be configured? So far the only way i've found to fix this is to reboot the routers (central and remote).




Re: Easy VPN Server and Tacacs

As far as your second question is concerned, I believe you are hitting a bug there. Check the bugtool kit