The Terminal Access Controller Access Control System (TACACS+) protocol
provides access control for routers, Network Access Servers (NASs), or other
devices through one or more daemon servers. It encrypts all traffic between the
NAS and daemon using TCP communications for reliable delivery.
This document provides troubleshooting information for the Content
Services Switch (CSS) and TACACS+. You can configure the CSS as a client of a
TACACS+ server, providing a method for authentication of users, and
authorization and accounting of configuration and non-configuration commands.
This feature is available in WebNS 5.03.
Note: Refer to
the CSS as a Client of a TACACS+ Server for more information.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
When you attempt to log in to the CSS with a TACACS+ user, the login
does not work.
Generally, when TACACS+ authentication does not work with a CSS, the
problem is usually either a configuration issue on either the CSS or the
TACACS+ server. The first thing that you need to check is whether you have
configured the CSS as a client of a TACACS+ server.
When you have checked this, there is additional logging that you can
use on the CSS in order to determine the problem. Complete these steps to turn
On the CSS, enter debug mode.
CSS(debug)# mask tac 0x3
CSS(config)# logging subsystem security level debug-7
CSS(config)# logging subsystem netman level info-6
!--- This logs messages to the screen.
In order to disable logging, issue these commands:
CSS(debug)# mask tac 0x0
CSS# no logon
These messages can appear:
SEP 10 08:30:10 5/1 99 SECURITY-7: SECMGR:SecurityAuth:Request from 0x20204b0c
SEP 10 08:30:10 5/1 100 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
SEP 10 08:30:10 5/1 101 SECURITY-7: Security Manager sending error 7 reply to
These messages indicate that the CSS tries to communicate with the
TACACS+ server, but the TACACS+ server rejects the CSS. error
7 means that the TACACS+ key entered in the CSS does not match
the key on the TACACS+ server.
A successful login through a TACACS+ server shows this message (note
the sending success 0 reply):
SEP 10 08:31:46 5/1 107 SECURITY-7: SECMGR:SecurityAuth:Request from 0x20204b0d
SEP 10 08:31:46 5/1 108 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
SEP 10 08:31:47 5/1 109 SECURITY-7: Security Manager sending success 0 reply to
SEP 10 08:31:47 5/1 110 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x2020
The most common mistake when you set up a CSS to work with a TACACS+
server is actually very simple. This command tells the CSS what key to use to
communicate with the TACACS+ server:
CSS(config)# tacacs-server key system enterkeyhere
This key can be either clear text or DES encrypted. The clear text key
is DES encrypted before the key is placed in the running configuration. To make
a key clear text, put it in quotes. To make it DES encrypted, do not use
quotes. The important thing is to know if the TACACS+ key is DES encrypted or
if the key is clear text. After you issue the command, match the key of the CSS
to the key that the TACACS+ server uses.