We are having an issue with a couple of switches we have daisy chained off of each other. We have a 2960 8 port going to a 2950 24 port then to our core switch a 6507. The problem is we cannot authenticate to the ACS server attached to the 6507 from the 2960. We can however authenticate to the ACS from the 2950. We do have similar setups like this in different parts of our network that work. I have compared the configurations from theses switches and nothing stand out.
In such cases I find it useful to see if the packets are actually arriving at the ACS server. If you're running ACS on Windows, it's pretty simple to load Wireshark, start a capture and watch for the packets coming in during a failed authentication attempt.
I'm assuming you verified the obvious like the device's management IP being correctly entered and the tacacs key matching.
Common issues include:
a. the device sourcing from other than the expected IP address and thus not matching its definition in ACS. This can be fixed by either changing the device definition on ACS or using "ip tacacs source-interface" command on the switch.
b. the packets not arriving at all from the source device. This is usually caused by a network configuration error.
You can also debug tacacs on the switch while you try to authenticate to your ACS server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...