cancel
Showing results for 
Search instead for 
Did you mean: 

S4 will not authenticate using TACACS+ server.

S4 will not authenticate using TACACS+ server.

Michael_Smith
New Contributor
My S4 will not authenticate CLI access using our TACACS server. It looks like all of the settings are correct; tacacs is enabled and authentication login is set to 'any'. I have mirrored this on a deployed C5 with zero issues.

The S4 is not hitting the TACACS server, via the logs, and i cannot see any TACACS traffic when i wireshark the ports.

Any ideas?
4 REPLIES 4

Erik_Auerswald
Contributor II
Without a configured management interface the S4 will use a loopback interface's or the outgoing interface's IP address as source address. That is probably not the IP configured on the TACACS+ server, and not the IP you were looking for in packet captures.

TACACS+ and RADIUS servers usually ignore all requests from IP addresses not configured as clients. Ping packets are answered irrespective of the source IP. This is probably the reason for ping working. Ping will use the outgoing interface's IP address unless a specific source address/interface is specified.

Michael_Smith
New Contributor
Figured it out...

I did not have an interface setup as a 'Management Address'. Once i entered the command: "set ip interface vlan.0.XX default" everything started working fine.

I'm hypothesizing that since no interface was setup as management, it was defaulting to the lowest interface IP address, which is a loopback interface...thus the reason why no TACACS+ messages were hitting my server.

I'm still stumped on why a ping would go through though. If the TACACS+ packets were defaulting to using the loopback (since nothing was defined), why wouldn't the ping use the loopback and fail?

Learn something new everyday...

Erik_Auerswald
Contributor II
Hi Michael,

do you use a host ACL and if so, does it allow TACACS+?

Did you configure a source interface for TACACS+ (resp. for all management traffic sourced by the S4) and allowed that IP on the TACACS+ server?

Besides this you might want to double-check the TACACS+ configuration. Firewalls or router ACLs might stop this traffic as well.

Br,
Erik

Daniel_Coughlin
Extreme Employee
Hello Michael,

Configuration issue would be the first place I would look. Specifically the management interface. the output of "show ip interface brief" may give us a clue but we may need the whole thing.
GTM-P2G8KFN