How to verify that TACACS+ connectivity to a device?
A.
You successfully log in to the device by using the local credentials.
B.
You connect to the device using SSH and receive the login prompt.
C.
You successfully log in to the device by using ACS credentials.
D.
You connect via console port and receive the login prompt.
C should be the correct answer as login prompt will still present if there are second aaa authentication method, e.g. group tacacs+ local
B is correct. SSH (basically encrypted Telnet) on port #49 (TACACS port)
“Step 1. Verify the connectivity to the TACACS server with a telnet on port 49 from the router with appropriate source interface. In case the router is not able to connect to the TACACS server on Port 49, there might be some firewall or access list blocking the traffic.”
Ref:
https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200467-Troubleshoot-TACACS-Authentication-Issue.html
Telnet or SSH to the TACACS server with TCP Port 49 can test the connectivity. But you will receive the “Open” message instead of the login prompt during the connectivity test.
The “Open” message means:
The port 49 is open and the device that is connected to that interface is reachable.
It does not mean: There is a functional connection to an ACS server. Any device could be on the other end of that cable with port 49 open.
The example on the page from my previous comment shows an attempt to connect to an ACS server that is not answering. is SOMETHING answering? Yeah.
“Router#telnet 10.106.60.182 49
Trying 10.106.60.182, 49 … Open”
This means- “Sure- I’m listening, but what do you want from me? Either I’m not the person you need to talk to or I’m not allowed to talk to you. (IE: Blocked by firewall or access list)”
If you telnet or SSH to it and the prompt is presented then you know that you have connectivity to the ACS server and that no network, firewall or access lists are blocking your access to server.