Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...thank you for the wonderful resource that you have enabled here. It is clear, concise, well maintained and most importantly, helpful..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > Communications Rack > Networking > Cisco: Routers Forum

Tacacs query

thread557-1689580
Read More Threads Like This One
123Manz (ISP)
31 Jul 12 6:19
Hi

Question is around the ip tacacs-source interface command

I have this configured as source of loopback 10, when trying to telnet to the router will its initial check the tacacs server is reachable be sourced from loopback 10, or just the information exchange such as passwords etc?

I had a failure where the router had a route to the server, but the server had no way of getting back to the loopback 10 of the router (so no connectivity) yet it still prompted for tacacs

Once the correct details were entered it rejected them, when I put a route into the network for L10 it then worked

The only thing I can think of is the initial request did not come loopback 10 but came from the IP of the interface the traffic would have left the router

Thanks
Yaoul (TechnicalUser)
31 Jul 12 10:49
Prompt for tacacs is displayed as tacacs authentication is configured. There's no check for the authentication server being alive or not before the prompt is displayed.
And to answer your question, yes it's your loopback 10 interface that is used for all the traffic between your device and the tacacs server.
Cheers,
y/
123Manz (ISP)
31 Jul 12 10:59
Hi Yaoul

Thanks for the reply

If there is no check that what is it that (in other instances not this) makes a device fall back onto its local password if configured to do so? The router must do something to check if can get there and if not revert to local login?

In this case, what do you think caused this issue, as there was definitely no 2 way connectivity between loopback 10 and the tacacs server yet it prompted for username and password, not the local passwors like it should have

Cheers
Yaoul (TechnicalUser)
3 Aug 12 2:57
Hi Manz,
I'm not sure it works this way.

The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user services—the authorization process stops and no other authorization methods are attempted.



What's the difference you see between what you call "tacacs prompt" and "local pwd prompt" ?

Cheers,

y/
123Manz (ISP)
3 Aug 12 4:29
Yaoul

The config is like below

aaa authentication login default group tacacs+ local

On this setup, when the primary WAN link fails there is no routing to the server. So, as it normally does at other sites the router defaults to the local login (which is password only not username and password)

This one however prompted for a username and password, like it could still reach the TACACS server, however no logins worked

As soon as I put the route in for the server to see the device it was resolved

Thanks
Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco: Routers

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close