Cisco Support Community
Community Member

TACACS Authentication not working for ssh



I've configured aaa TACACS in my router, the problem is when I do ssh to the router it is not accepting ACS password but logging in using local password.

Also I can go to enable mode using ACS password. Please help in this


aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa session-id common

Community Member

Can you please post your vty

Can you please post your vty configuration?

Hall of Fame Super Gold

What is the output of show

What is the output of show tacacs?


When the original poster says that he is logging in to user mode using the local password I am not clear whether he is talking about a locally configured used name and password or is talking about the line password. Perhaps we can get some clarification?





Community Member

Hi, There is no local



There is no local password configured in router, I think it is taking from ACS itself, but different password. Is there anything to be changed in ACS for this?


Here is the output of sh tacacs


Tacacs+ Server -  public  :  x.x.x.x
              Socket opens:     185627
             Socket closes:     106004
             Socket aborts:          0
             Socket errors:       5129
           Socket Timeouts:         13
   Failed Connect Attempts:         15
        Total Packets Sent:     270398
        Total Packets Recv:     269649

Tacacs+ Server -  public  :  x.x.x.x
              Socket opens:        914
             Socket closes:        560
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:       1400
        Total Packets Recv:       1398

Community Member

After reading a little about

After reading a little about this it looks like you have users enter user exec mode by default and after typing "enable" then entering the TACACS+ password you probably get denied.  If this is the case you are kind of left to your own devices.  I'll provide you some information and let you determine the best course.


R1(config-line#) privilege level [0-15] 

This line sets the privilege level of users that are logging in via SSH or other teleterminal services.


Here is an excerpt from the documentation for tac_plus provided at


The default privilege level for an ordinary user on the NAS is usually
1. When a user enables, she can reset this level to a value between 0
and 15 by using the NAS "enable" command. If she doesn't specify a
level, the default level she enables to is 15.

You can enable via tacacs+ e.g. by configuring on the NAS:

        aaa authentication enable default tacacs+

then whenever you attempt to enable, an authentication request is sent
with the special username $enab<n>$ where <n> is the privilege level
you are attempting to enable to.

(Note: in order to be compatible with earlier versions of tacacs, when
the requested enable level is 15, the daemon will also try the
username $enable$ before trying username $enab15$).

For example, with the above declaration, in order to enable on the
NAS, you need a user declaration like this one, on the daemon:

user = $enab15$ {
    login = cleartext "the enable password for level 15"

Note: Be aware that this does have the side effect that you now have a
user named $enab15$ who can then login to your NAS if she knows the
enable password.

Here is a similar declaration allowing users to enable to level 4:

user = $enab4$ {
    login = des bsoF4OivQCY8Q

CreatePlease to create content