Troubleshooting

Unusual Network Activity

The encryption key configured in the server does not match the encryption key configured in the switch (by using the tacacs-server key command). Verify the key in the server and compare it to the key configured in the switch. (Use show tacacs-serverto list the global key. Use show config or show config running to list any server-specific keys.)

The accessible TACACS+ servers are not configured to provide service to the switch.

Access Is Denied Even Though the Username/Password Pair Is Correct. Some reasons for denial include the following parameters controlled by your TACACS+ server application:

The account has expired.

The access attempt is through a port that is not allowed for the account.

The time quota for the account has been exhausted.

The time credit for the account has expired.

The access attempt is outside of the time frame allowed for the account.

The allowed number of concurrent logins for the account has been exceeded

For more help, refer to the documentation provided with your TACACS+ server application.

Unknown Users Allowed to Login to the Switch. Your TACACS+ application may be configured to allow access to unknown users by assigning them the privileges included in a default user profile. Refer to the documentation provided with your TACACS+ server application.

System Allows Fewer Login Attempts than Specified in the Switch

Configuration. Your TACACS+ server application may be configured to

allow fewer login attempts than you have configured in the switch with the aaa authentication num-attemptscommand.

C-20