PDF(11.0 KB) View with Adobe Reader on a variety of devices
ePub(82.0 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(69.1 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 14, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the steps to troubleshoot Terminal Access Controller Access-Control System Authentication (TACACS) issues on Cisco IOS®/Cisco IOS-XE routers and switches.
Cisco recommends that you have basic knowledge of these topics:
Authentication, Authorization and Accounting (AAA) configuration on Cisco devices
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
How TACACS works
TACACS+ protocol uses Transmission Control Protocol (TCP) as the transport protocol with destination port number 49. When the Router receives a login request, it establishes a TCP connection with the TACACS server, post which a username prompt is displayed to the user. When the user enters the username, the Router again communicates with the TACACS server for the password prompt. Once the user enters the password, the Router send this information to the TACACS server again. The TACACS server verifies the user credentials and sends a response back to the Router. The result of a AAA session can be any of these:
PASS: When you are authenticated the service begins only if AAA authorization is configured on the router. The authorization phase begins at this time.
FAIL: When you have failed the authentication, you can be denied further access or be prompted to retry the login sequence. It depends on the TACACS+ daemon. In this, you can check the policies configured for the user in TACACS server, if you receive a FAIL from the server
ERROR: It indicates an error occurred during authentication. This can be either at the daemon or in the network connection between the daemon and the router. If an ERROR response is received, the router typically tries to use an alternative method to authenticate the user.
These are the basic configuration of AAA and TACACS on a Cisco Router
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
tacacs server prod
address ipv4 10.106.60.182
ip tacacs source-interface Gig 0/0
Troubleshoot TACACS Issues
Step 1. Verify the connectivity to the TACACS server with a telnet on port 49 from the router with appropriate source interface. In case the router is not able to connect to the TACACS server on Port 49, there might be some firewall or access list that blocks the traffic.
Router#telnet 10.106.60.182 49
Trying 10.106.60.182, 49 ... Open
Step 2. Verify that the AAA Client is properly configured on the TACACS server with the correct IP address and the shared secret key. If the Router has multiple outgoing interfaces, it is suggested to configure the TACACS source interface with use of this command. You can configure the interface, of which the IP address is configured as client IP address on TACACS server, as the TACACS source interface on Router
Router(config)#ip tacacs source-interface Gig 0/0
Step 3. Verify if the TACACS source interface is on a Virtual Routing and Forwarding (VRF). In case the interface is on a VRF, you can configure the VRF information under the AAA server group. Refer to TACACS Configuration Guide for configuration of VRF aware TACACS.
Step 4. Perform test aaa and verify that we receive the correct response from the Server
Router#test aaa group tacacs+ cisco cisco legacy
User successfully authenticated
Step 5. If test aaa fails, enable these debugs together to analyse the transactions between the Router and the TACACS server to identify the root cause.