try adding ip tacacs-source to specify an interface that you know you can reach FROM your TACACS server
maybe you dont have a route back to the router from server to the source that the router is using for tacacs requests ""Amer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Okay I've got my login authentication, authorization and accounting working > on most of my switches and router through a ACS (TACACS+). But I have this > one router that gives me an "% Error in authentication" message as soon as I > put in my username. It doesn't even allow me to put in a password. The > only way I can get into it is through the local account that I have created > on it. I've checked a similar router (same IOS, exact same configuration), > and it works okay.... so what can I look for to troubleshoot this problem?? > Thanks in advance. > > Here is the config on the router: > > aaa new-model > aaa authentication login default local tacacs+ > aaa authentication enable default enable tacacs+ > aaa authorization exec default tacacs+ local > aaa authorization network default none > aaa accounting update newinfo > aaa accounting exec default start-stop tacacs+ > aaa accounting commands 15 default start-stop tacacs+ > aaa accounting network default start-stop tacacs+ > > P.S. Does anyone know of a way to filter out the commands that can be > accounted for at the ACS? At the moment, the accounting is working a great > but it accounts for every command that's put it. I have an access list on > one of my router that is about 150 lines long and gets modified constantly > and every command is accounted for in the ACS Accounting. I'm trying to see > if there's a way to filter out that particular access-list and not account > for it everytime. Thanks again. > > Amer Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59422&t=59393 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
