This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

S4 will not authenticate using TACACS+ server.

S4 will not authenticate using TACACS+ server.

Michael_Smith
New Contributor

ā€Ž06-07-2016 01:29 PM

My S4 will not authenticate CLI access using our TACACS server. It looks like all of the settings are correct; tacacs is enabled and authentication login is set to 'any'. I have mirrored this on a deployed C5 with zero issues.

The S4 is not hitting the TACACS server, via the logs, and i cannot see any TACACS traffic when i wireshark the ports.

Any ideas?
0 Kudos
4 REPLIES 4

Erik_Auerswald
Contributor II

ā€Ž06-08-2016 04:46 AM

Without a configured management interface the S4 will use a loopback interface's or the outgoing interface's IP address as source address. That is probably not the IP configured on the TACACS+ server, and not the IP you were looking for in packet captures.

TACACS+ and RADIUS servers usually ignore all requests from IP addresses not configured as clients. Ping packets are answered irrespective of the source IP. This is probably the reason for ping working. Ping will use the outgoing interface's IP address unless a specific source address/interface is specified.
0 Kudos

Michael_Smith
New Contributor

ā€Ž06-07-2016 04:40 PM

Figured it out...

I did not have an interface setup as a 'Management Address'. Once i entered the command: "set ip interface vlan.0.XX default" everything started working fine.

I'm hypothesizing that since no interface was setup as management, it was defaulting to the lowest interface IP address, which is a loopback interface...thus the reason why no TACACS+ messages were hitting my server.

I'm still stumped on why a ping would go through though. If the TACACS+ packets were defaulting to using the loopback (since nothing was defined), why wouldn't the ping use the loopback and fail?

Learn something new everyday...
0 Kudos

Erik_Auerswald
Contributor II

ā€Ž06-07-2016 02:27 PM

Hi Michael,

do you use a host ACL and if so, does it allow TACACS+?

Did you configure a source interface for TACACS+ (resp. for all management traffic sourced by the S4) and allowed that IP on the TACACS+ server?

Besides this you might want to double-check the TACACS+ configuration. Firewalls or router ACLs might stop this traffic as well.

Br,
Erik
0 Kudos

Daniel_Coughlin
Extreme Employee

ā€Ž06-07-2016 01:36 PM

Hello Michael,

Configuration issue would be the first place I would look. Specifically the management interface. the output of "show ip interface brief" may give us a clue but we may need the whole thing.
0 Kudos
GTM-P2G8KFN