LMS 4.0/4.1 as tacacs server

Hi Just a quick one, been looking to consolidate a number of management products and LMS seems to tick nearly all of them off except Tacacs requirement. I've been looking through various LMS Guides and trying to find out if the LMS can act as a tacacs server as I would like to get ride of the current unix system or do I need to use another solution? If so can anyone suggest something that works well with LMS...
Thanks.

LMS does not include a TACACS+ or any other AAA server. It is strongly recommended that you do not install one along side the LMS server on the same logical server. The reason for this is that you do not want NMS maintenance to affect your network access. You also want to limit the number of potential attack vectors one could use to compromise your AAA server.
The leading recommendation is to put your AAA application on a dedicated physical server with strict physical and network access restricitions. If that is not possible, at least dedicate a virtual machine for AAA.

Similar Messages

Not able to login to router using ssh when TACACS server is down

When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
kindly see below debug output and config
SSH server end:
Sep 1 13:25:10.161: SSH1: starting SSH control process
Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
Sep 1 13:25:10.397: SSH: RSA decrypt started
Sep 1 13:25:10.925: SSH: RSA decrypt finished
Sep 1 13:25:10.925: SSH: RSA decrypt started
Sep 1 13:25:11.165: SSH: RSA decrypt finished
Sep 1 13:25:11.197: SSH1: sending encryption confirmation
Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
Sep 1 13:25:11.269: SSH1: authentication request for userid rao
Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
Sep 1 13:25:17.317: SSH1: authentication successful for rao
Sep 1 13:25:17.413: SSH1: requesting TTY
Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
ngth 25, width 80
Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
Sep 1 13:25:17.525: SSH1: starting shell for vty
Sep 1 13:25:25.033: SSH1: Session terminated normally
SSH Client end Log:
% Authorization failed.
[Connection to 10.255.15.2 closed by foreign host]
COnfig:
aaa authentication login default group tacacs+ line local
aaa authentication login NO_AUTH line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip domain-name cbi.co.in
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
password xxxx
transport input telnet ssh
Kindly reply your views

I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
% Authorization failed.
I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
aaa authorization config-commands
I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
HTH
Rick

IP address sent to TACACS server

Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?

Hi
FYI,
Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) to the end station based on the network device's IP address or name, or the network device group that it belongs to.
The device identifier can be the IP address or name of the device, or it can be based on the network device group to which the device belongs.
The IP address is a protocol-agnostic attribute of type IPv4 that contains a copy of the device IP address obtained from the request:
–In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP address from Attribute 32, or it obtains the IP address from the packet that it receives.
–In a TACACS request, the IP address is obtained from the packet that ACS receives.

IOS 15 not working with my TACACS server

Hi All,
I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
Am I missing something?
aaa new-model
aaa group server tacacs+ ACS1
server name AUTH
aaa authentication login ACS-List group ACS1 local
aaa authorization exec ACS-List group ACS1 local
aaa accounting commands 15 ACS-List
action-type start-stop
group ACS1
aaa session-id common
acacs-server directed-request
tacacs server AUTH
address ipv4 172.x.x.x
key 7 xxxxxxxx
and on my VTY Lines...
privilege level 15
password 7 151619050826222A2F
authorization exec ACS-List
accounting commands 15 ACS-List
accounting exec ACS-List
login authentication ACS-List
length 0
transport input telnet ssh

I ran those debugs, then tried to login on another telnet session -
Jul 2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
Jul 2 15:01:57.278: TPLUS: processing accounting request id 1781
Jul 2 15:01:57.278: TPLUS: Sending AV task_id=1997
Jul 2 15:01:57.278: TPLUS: Sending AV timezone=SIN
Jul 2 15:01:57.278: TPLUS: Sending AV service=shell
Jul 2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
Jul 2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
Jul 2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
Jul 2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
Jul 2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
Jul 2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
Jul 2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
Jul 2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
Jul 2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:11.658: TPLUS: processing authentication start request id 1785
Jul 2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:11.662: TPLUS: Using server 172.x.x.x
Jul 2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
Jul 2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:24.474: TPLUS: processing authentication start request id 1785
Jul 2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:24.474: TPLUS: Using server 172.x.x.x
Jul 2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

VPDN static IP address assign by TACACS server (ACS 2.3 for UNIX)

Is it possible assign static IP address for VPDN users by TACACS server ?
If yes, please give me some ideas how to do it?
thanks,
bm

I think that is possible only while using CSACS for windows but not with CSACS for UNIX. Atleast I couldn't find anything in the documentation. (CiscoSecure ACS 2.3 for UNIX User Guide http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_book09186a00800eb438.html)

Can VMS 2.1 and LMS 2.1 be installed in same server?

Dear all,
May I know can VMS 2.1 and LMS 2.1 be installed in same server? If so, how about the sequence of installation? If LMS 2.1 is already installed on the server, do I need to install the VMS Common Services? Thanks
Gary

Hi,
In VMS 2.1 bundle, RME and Security Monitoring Center are included. As I know, RME can receive syslog from switch/router/PIX and Security Monitoring Center can receive syslog from PIX. If I install these two applications on the same server, will there be problems about the syslog receive? Will the syslog messages mix-up? Thanks
Gary

TACACS+ Server not logging events.

Hi all,
I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
Here is the config I used on one of our routers.
aaa group server tacacs+ prego
server xxx.xxx.xxx.xxx
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group prego
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip subnet-zero
Also here is a sh verion
Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 22:23 by eaarmas
Image text-base: 0x60008954, data-base: 0x61C2C000
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
Processor board ID JMX0749L1XC
R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of non-volatile configuration memory.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Any help would be great.
Thank you
Joseph Jackson

If you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
As a next step in investigating this issue I suggest that you run two debugs on the router:
debug aaa accounting
debug tacacs accounting
While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
HTH
Rick

LMS 3.2: Compliance Mngt: ASA tacacs configuration

Hi there!
I'm stuck (again *sigh*) with CiscoWorks compliance managment.
I would like to check our tacacs configuration (ASA):
aaa-server TACACS+ (inside) host <server1>
timeout 20
key <key>
aaa-server TACACS+ (inside) host <server2>
timeout 20
key <key>
aaa-server TACACS+ (inside) host <server3>
timeout 20
key <key>
I would like to know if there is a timeout and key statement for every tacacs server configured.
How can this be done with compliance managment ?
It seems to me, that the compliance mngt can't check for three occurrences of the same line (e.g. key or timeout) ?
If you have any ideas, please let me know.
Thanks!
Holger

RME doesn't break out all of the sub-modes of the ASA. Only interfaces are broken out into sub-modes. To make sure the "inspect sqlnet" and "inspect esmtp" commands aren't in the config, you'd have to check in global mode.

Can't configure tacacs-server port

We're unable to configure a specific port, which is required for our customer for the tacacs-server. One of the devices is a 7604 router running this image -
c7600rsp72043-adventerprisek9-mz.122-33.SRD6.bin. The other device is a 2960 switch with the following image - c2960-lanbasek9-mz.122-35.SE5.bin.
We don't get the option to add a port after the tacacs-server host x.x.x.x command.
Any ideas would be greatly appreciated!
Regards..

Hi
Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Tac_Plus (open source TACACS+ server) and NAM (Network Analysis Module)

I am trying to setup our cisco NAM's to authenticate against our open source tac_plus server. I see traffic on port 49 between the NAM and server but I keep on getting an invalid username/password error. I do not see any invalid logon attemps in our tacacs log.
The tacacs server running and I am able to authenticate against it when I am logging onto our routers and switches. I have created the following group for NAM authentication on the server ("namuser" is able to log onto our routers/switches):
group = nam {
cmd = web { permit capture
permit system
permit collection
permit account
permit alarm
permit view }
user = namuser {
member = nam
login = pam tac_plus

switch config
aaa new-model
aaa authentication username-prompt login:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key ********

Configuring TACACs Server for Cisco VPN 3000

Does anyone know how to get to the configuration setting to specify a TACACs server?

You need to be very careful when setting
up this thing. If the AAA server is down
for whatever reason, you will NOT be able to
log into the Concentrator again. As far
as the VPn3k console is concerns, it will
let you login with the "admin" account,
even though the AAA is up and running. In
other words, you can login from console
with both "admin" and AAA account at the same
time.
What a mess.

How device select tacacs-server

Hi Guys,
We have Existing tacacs configuration form our devices and pointed the 2 ACS server. the acs server are manage with other vendor which the acs server is located at their site. Now were planning to manage the acs server. We Installed a new acs server from our location, we have thousand of devices, if we migrate to the new server can we just add the 2 acs server from the device? are the new acs server will able to comunicate from the device? how does a device select which primary or secondary acs server? please advise.
Old config
aaa new-model
aaa authentication login vtymethod group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.x.x.x
tacacs-server host 10.x.x.x
New config
aaa new-model
aaa authentication login vtymethod group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.x.x.x
tacacs-server host 10.x.x.x
tacacs-server host 100.x.x.x <-- new
tacacs-server host 100.x.x.x <-- new

Hi,
in your way above the TACACS+ servers will be used in order.
You can group TACACS+ servers together and choose to use servers in that group only:
aaa group server tacacs+ Test
server 10.10.10.10
aaa authentication login vtymethod group Test local
under the vty lines config:
login authentication vtymethod
in the above example, only the server in the group Test; which is 10.10.10.10 will be used in authentication.
HTH,
Amjad
Rating useful replies is more useful than saying "Thank you"

Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
Thanks.

Hi
We (extraxi) offer migration and general consultancy for ACS if you need professional help.
www.extraxi.com/contact.htm

RADIUS or TACACS Server Recommendations

Can anyone point to a good, inexpensive RADIUS or TACACS server solution that runs on Windows? Cisco ACS is a bit more money than is wanted to part with at the moment.
Thanks in advance. All replies rated.

I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
~BR
Jatin Katyal
**Do rate helpful posts**

CSACS TACACS Server 5.0 Timeout and Latency

Hi,
I have successfully configured a new Linux based Cisco Secure ACS server (version is 5.0.0.21 and Internal build: B.2757) and integrated it with AD. Both the internal users and the AD users are authenticating ok and are successfully logged onto the end devices on privilege level 15. The issue that I am getting is that for some strange reason AD users are taking too long (approx 38 secs) to get authenticated/authorised etc. Infact this was causing authentication issues previously as the tacacs timeout on the end device was set too low and thus the TACACS server response was timing out. I rectified this by increasing the TACACS timeout to around 25 secs which then resulted in successful TACACS authentication/authorisation.
The high response time is however very frustrating. We have an existing Windows based (4.2) TACACS server and when I point my end devices (routers, switches) to this old server it takes only a few seconds for authentication but with the new ACS server it takes close to 38 secs. I am suspecting it might be to do with AD integration as the internal users on the new server are working fine. There are no latency or networking issues with the new server as the pings are looking ok.
I have pasted my debug tacacs output obtained from the end device below. The first is with the new server (y.y.y.y) and the second is with the old (working) server (x.x.x.x) :
New Server:
4d09h: TAC+: send AUTHEN/START packet ver=192 id=64484812
4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CCF630 to y.y.y.y/49
4d09h: TAC+: y.y.y.y (64484812) AUTHEN/START/LOGIN/ASCII queued
4d09h: TAC+: (64484812) AUTHEN/START/LOGIN/ASCII processed
4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETUSER
4d09h: TAC+: send AUTHEN/CONT packet id=64484812
4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
4d09h: TAC+: (64484812) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETPASS
4d09h: TAC+: send AUTHEN/CONT packet id=64484812
4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
4d09h: TAC+: (64484812) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = PASS
4d09h: TAC+: Closing TCP/IP 0x80CCF630 connection to y.y.y.y/49
4d09h: TAC+: using previously set server y.y.y.y from group tacacs+
4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CCFAC4 to y.y.y.y/49
4d09h: TAC+: Opened y.y.y.y index=1
4d09h: TAC+: y.y.y.y (1028597070) AUTHOR/START queued
4d09h: TAC+: (1028597070) AUTHOR/START processed
4d09h: TAC+: (1028597070): received author response status = PASS_ADD
4d09h: TAC+: Closing TCP/IP 0x80CCFAC4 connection to y.y.y.y/49
4d09h: TAC+: Received Attribute "priv-lvl=15"
jontest#
Old (Working) Server:
4d09h: TAC+: send AUTHEN/START packet ver=192 id=1150277789
4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CD10D4 to x.x.x.x/49
4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/START/LOGIN/ASCII queued
4d09h: TAC+: (1150277789) AUTHEN/START/LOGIN/ASCII processed
4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETUSER
4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
4d09h: TAC+: (1150277789) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETPASS
4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
4d09h: TAC+: (1150277789) AUTHEN/CONT processed
4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = PASS
4d09h: TAC+: Closing TCP/IP 0x80CD10D4 connection to x.x.x.x/49
4d09h: TAC+: using previously set server x.x.x.x from group tacacs+
4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
4d09h: TAC+: Opened TCP/IP handle 0x80CD1568 to x.x.x.x/49
4d09h: TAC+: Opened x.x.x.x index=1
4d09h: TAC+: x.x.x.x (551069827) AUTHOR/START queued
4d09h: TAC+: (551069827) AUTHOR/START processed
4d09h: TAC+: (551069827): received author response status = PASS_ADD
4d09h: TAC+: Closing TCP/IP 0x80CD1568 connection to x.x.x.x/49
4d09h: TAC+: Received Attribute "priv-lvl=15"
Any suggestions would be much appreciated.

Richard, Kashif,
1) 10.2.100.100 is a dummy IP to be sure we have a correct test scenario :
tacacs-server host 10.2.100.100
tacacs-server host 10.2.17.203
2) We have defined 2 testswitches with this config :
C3560 (12.2(53))
C3750 (12.2(55))
with our 3560, it hits the timeout counter of 5s of the dead tacacs server, once logged in, all other tacacs commands are treated by 10.2.17.203
Failed connect attemps raises by 1
with our 3750, with each tacacs command, it hits the timeout counter of 5s of the dead tacacs server everytime, before going to the 10.2.17.203, so all commands are executed but each time with a timeout delay of 5s.
Failed connect attemps raises by number of tacacs commands typed
Many thanks,
Lieven Stubbe
Belgian Railways

LMS 4.0/4.1 as tacacs server

Similar Messages

Maybe you are looking for