Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tacacs query

Status
Not open for further replies.

123Manb

ISP
Jul 31, 2012
4
GB
Hi

Question is around the ip tacacs-source interface command

I have this configured as source of loopback 10, when trying to telnet to the router will its initial check the tacacs server is reachable be sourced from loopback 10, or just the information exchange such as passwords etc?

I had a failure where the router had a route to the server, but the server had no way of getting back to the loopback 10 of the router (so no connectivity) yet it still prompted for tacacs

Once the correct details were entered it rejected them, when I put a route into the network for L10 it then worked

The only thing I can think of is the initial request did not come loopback 10 but came from the IP of the interface the traffic would have left the router

Thanks
 
Prompt for tacacs is displayed as tacacs authentication is configured. There's no check for the authentication server being alive or not before the prompt is displayed.
And to answer your question, yes it's your loopback 10 interface that is used for all the traffic between your device and the tacacs server.
Cheers,
y/
 
Hi Yaoul

Thanks for the reply

If there is no check that what is it that (in other instances not this) makes a device fall back onto its local password if configured to do so? The router must do something to check if can get there and if not revert to local login?

In this case, what do you think caused this issue, as there was definitely no 2 way connectivity between loopback 10 and the tacacs server yet it prompted for username and password, not the local passwors like it should have

Cheers
 
Hi Manz,
I'm not sure it works this way.

The Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user services—the authorization process stops and no other authorization methods are attempted.



What's the difference you see between what you call "tacacs prompt" and "local pwd prompt" ?

Cheers,

y/
 
Yaoul

The config is like below

aaa authentication login default group tacacs+ local

On this setup, when the primary WAN link fails there is no routing to the server. So, as it normally does at other sites the router defaults to the local login (which is password only not username and password)

This one however prompted for a username and password, like it could still reach the TACACS server, however no logins worked

As soon as I put the route in for the server to see the device it was resolved

Thanks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top