System information

ManualsBrandsDestination Audio ManualsComputer equipmentCS500C

461

462

463

464

465

466

467

468

469

470

Troubleshooting TACACS+ and XTACACS

Book Title

24-478

Possible Problem Solution

Missing login tacacs command

Step 1 Use the show running-conﬁg privileged exec command on the router to

see whether the login tacacs line conﬁguration command is present.

Step 2 If the command is not present, add the command on each line that should

use XTACACS. For example, to conﬁgure line 2 to use XTACACS, enter

the following commands:

C2500(config)#line 2

C2500(config-line)#login tacacs

For detailed information on conﬁguring XTACACS, refer to the Cisco IOS

Conﬁguration Fundamentals Conﬁguration Guide and Conﬁguration

Fundamentals Command Reference.

Router does not have minimum

XTACACS conﬁguration

Step 1 Use the show running-conﬁg privileged exec command to view the local

router conﬁguration. Look for the following commands:

tacacs-server host

hostname

tacacs-server extended

where name is the DNS hostname or IP address of the XTACACS server.

Step 2 If these commands are not present, add them to the conﬁguration.

Examples:

The following example enables Extended TACACS mode:

tacacs-server extended

The following example speciﬁes a TACACS host named Sea_Change:

tacacs-server host Sea_Change

PPP not functioning correctly If PPP is not functioning properly, problems will occur when using XTACACS. Use

the debug ppp negotiation privileged exec command to see whether both sides are

communicating.

Caution: Because debugging output is assigned high priority in the CPU process, it

can render the system unusable. For this reason, use debug commands only to

troubleshoot speciﬁc problems or during troubleshooting sessions with Cisco

technical support staff. Moreover, it is best to use debug commands during periods

of lower network trafﬁc and fewer users. Debugging during these periods decreases

the likelihood that increased debug command processing overhead will affect

system use.

For information on conﬁguring PPP, refer to the Cisco IOS Conﬁguration

Fundamentals Conﬁguration Guide and Conﬁguration Fundamentals Command

Reference.

PAP is misconﬁgured

Step 1 Use the show running-conﬁg privileged exec command to make sure the

router is conﬁgured for PAP authentication. The router conﬁguration

should include the following interface conﬁguration commands for each

async interface that should use PAP authentication:

ppp authentication pap

ppp use-tacacs

Step 2

If the commands are not present, add them to the conﬁguration.

In the following example, asynchronous interface 1 is conﬁgured to use

TACACS for PAP authentication:

interface async 1

ppp authentication pap

ppp use-tacacs