When TACACS+ is used on a router, the debug
tacacs command can be used for more detailed debugging
information. 
Use the
following debug command on the router to trace TACACS+
packets:
debug tacacs
Use the
following debug command to display information from the
TACACS+ helper process:
debug tacacs events
Figure
shows
part of the debug aaa authentication command output for a
TACACS login attempt that was successful. The information indicates that
TACACS+ is the authentication method used.
Also, note that the AAA/AUTHEN
status indicates that the authentication has passed.
There are three
possible results of an AAA session:
Failure
Figure
shows part of
the debug tacacs command output for a TACACS login attempt
that was unsuccessful as indicated by the status FAIL. The status fields are
probably the most useful part of the debug tacacs
command.
Pass
Figure
shows part of
the debug tacacs command output for a TACACS login attempt
that was successful, as indicated by the status PASS.
Figure
shows sample
debug tacacs events output.
In this example, the
opening and closing of a TCP connection to a TACACS+ server are shown, and also
the bytes read and written over the connection and the connection’s TCP
status.
The TACACS messages are intended to be self-explanatory or for
consumption by service personnel only. However, the messages shown are briefly
explained in the following text:
This message indicates that a TCP open
request to host 10.1.1.4 on port 49 will time out in 15 seconds if it gets no
response:
00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49
timeout=15
This message indicates a successful open
operation and provides the address of the internal TCP "handle" for
this connection:
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to
10.1.1.4/49
For more detailed information, refer to the
Debug Command Reference on Cisco.com.
More meaningful output from
debug command output can be obtained if the router is
configured using the service timestamps type [uptime]
datetime [msec] [localtime] [show-timezone] command. The table in
Figure
describes the
service timestamps command.