Configuring RADIUS and TACACS+ with CSACS
Verifying TACACS+

When TACACS+ is used on a router, the debug tacacs command can be used for more detailed debugging information. 

Use the following debug command on the router to trace TACACS+ packets:

debug tacacs

Use the following debug command to display information from the TACACS+ helper process:

debug tacacs events

Figure shows part of the debug aaa authentication command output for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.

Also, note that the AAA/AUTHEN status indicates that the authentication has passed.

There are three possible results of an AAA session:

  • Pass
  • Fail
  • Error

Failure
Figure shows part of the debug tacacs command output for a TACACS login attempt that was unsuccessful as indicated by the status FAIL. The status fields are probably the most useful part of the debug tacacs command.

Pass
Figure shows part of the debug tacacs command output for a TACACS login attempt that was successful, as indicated by the status PASS.

Figure shows sample debug tacacs events output.

In this example, the opening and closing of a TCP connection to a TACACS+ server are shown, and also the bytes read and written over the connection and the connection’s TCP status.

The TACACS messages are intended to be self-explanatory or for consumption by service personnel only. However, the messages shown are briefly explained in the following text:

This message indicates that a TCP open request to host 10.1.1.4 on port 49 will time out in 15 seconds if it gets no response:

00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15

This message indicates a successful open operation and provides the address of the internal TCP "handle" for this connection:

00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 10.1.1.4/49

For more detailed information, refer to the Debug Command Reference on Cisco.com.

More meaningful output from debug command output can be obtained if the router is configured using the service timestamps type [uptime] datetime [msec] [localtime] [show-timezone] command. The table in Figure describes the service timestamps command.


Interactive Media Activity

Demonstration Activity: TACACS+ Overview and Configuration

In this activity, students will learn about the overview and configuration of TACACS+.

Web Links