Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TACACS+ and Cisco MDS Switches

I am trying to configure Cisco ACS 4.0 to authenticate Windows domain users who access Cisco MDS Switches but can't seem to get it work. Moreover, the users in Cisco ACS internal database also are not able to login to Cisco switches. Log file says that keys does not match and I have specified the same key in both the places.

Anyboday has any clues as to what could resolve this issue?

Cisco Employee

Re: TACACS+ and Cisco MDS Switches

Yes, you need a different AV pair. The IOS uses enable levels like enable 15 or enable 10 and that has associated commands with them. The MDS does a role based authentication. So, your AV pair should look like this in the shell portion of the user for MDS's:


New Member

Re: TACACS+ and Cisco MDS Switches

Initially I used

cisco-av-pair=shell:roles="network-admin" did not work. Then I tried the one you specified...


even this also did not work. Spoke with couple of guys from Cisco and had them take a look at it. They said config looks fine but still can't get it work.

This is what I specified on the Cisco MDS switch.


config t

tacacs+ enable

tacacs-server host xx.xx.xx.xx key wareagle

aaa group server tacacs+ sanmgmtgrp

server xx.xx.xx.xx

aaa authentication login default group sanmgmtgrp

aaa authentication login console local

aaa accounting default group sanmgmtgrp local