Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TACACS Configs on a VPN Router

I'm trying to configure TACACS on a router which already has configured.

VPN is working and internal clients can browse the internet.

I've added the TACACS comands, I can not get the TACACS server to authenticate properly. This is what i'm receiving from 'debug aaa authentication' :

18w1d: AAA: parse name=FastEthernet0/1 idb type=-1 tty=-1

18w1d: AAA: name=FastEthernet0/1 flags=0x15 type=6 shelf=0 slot=0 adapter=0 port=1 channel=0

18w1d: AAA: parse name=<no string> idb type=-1 tty=-1

18w1d: AAA/MEMORY: create_user (0x81AE9B68) user='' ruser='' port='FastEthernet0/1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=0

18w1d: AAA/AUTHEN/START (365031532): port='FastEthernet0/1' list='default' action=LOGIN service=LOGIN

18w1d: AAA/AUTHEN/START (365031532): found list default

18w1d: AAA/AUTHEN/START (365031532): Method=LOCAL

18w1d: AAA/AUTHEN (365031532): status = GETUSER

18w1d: AAA/AUTHEN/CONT (365031532): continue_login (user='(undef)')

18w1d: AAA/AUTHEN (365031532): status = GETUSER

18w1d: AAA/AUTHEN/CONT (365031532): Method=LOCAL

18w1d: AAA/AUTHEN (365031532): User not found, emulating local-override

18w1d: AAA/AUTHEN (365031532): status = ERROR

18w1d: AAA/AUTHEN/START (1108177767): port='FastEthernet0/1' list='' action=LOGIN service=LOGIN

18w1d: AAA/AUTHEN/START (1108177767): Restart

18w1d: AAA/AUTHEN/START (1108177767): Method=RTP (tacacs+)

18w1d: TAC+: send AUTHEN/START packet ver=192 id=1108177767

18w1d: AAA/AUTHEN (1108177767): status = ERROR

18w1d: AAA/AUTHEN/START (1108177767): Method=NONE

18w1d: AAA/AUTHEN (1108177767): status = PASS

18w1d: AAA/MEMORY: free_user (0x81AE9B68) user='john' ruser='' port='FastEthernet0/1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=0

1 REPLY
Cisco Employee

Re: TACACS Configs on a VPN Router

From the debugs above it looks like when you try to access the router, the default method used is LOCAL and since the user is not found in local router database, it then uses the next method which is TACACS+.

Furthermore,, when using TACACS+ method the status return code is ERROR, which indicates that the TACACS+ server was not reachable. Check if you can ping the TACACS+ server from the router, if that is fine, increase the TACACS+ timeout using following command;

tacacs-server timeout 10 (default is 5 seconds)

maybe there is some latency issue b/w the router and your server.

if that doesn't help, check the logs on the TACACS+ server and see if the requests are ever making to it, and maybe you will get some indication of what the problem is. Are you sourcing tacacs-server on the router with some interface, if yes, make sure the NAS entry on the server is same as the source interface on the router.

HTH

R/Yusuf

193
Views
0
Helpful
1
Replies
CreatePlease to create content