I would do a debug on your TACACS+ server while you are trying this.
I'll assume that you only want to use TACACS authentication and only fall-back to local logins if it can't access the server?
Try using this:
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
Also see this site: It has some good examples and explanations
http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i13896_heada_4_2#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTA1OTY1MjcyMjUlMkZpNTAzNjNfX2hlYWRhX180XzEmcXVlcnk9
My guess is that since you have the "local" keyword in:
aaa authentication login default group tacacs+ local line
The TACACS+ authentication returns a fail, so the router tries doing local authentication. I guess you should provide us with the line vty
sanitized configuration.
If you have
line vty 0 15
login local
Then it would do a username/password authentication otherwise its doing password
There is an option that overrides the default timeout to the tacacs server, depending on your software version:
tacacs-server host host-name [port integer] [timeout integer]
timeout (Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
On newer versions, where tacacs-server is truncated:
tacacs server [group name]
address ipv4 [tacacs server address]
key [password]
timeout [timeout integer]
timeout - Time to wait for this TACACS server to reply (overrides default)
Edit:
I can confirm, that we've now changed our TACACS configuration to the following and it works like a charm for all 900 devices, including the timeout option. All switches and routers are running the newest safe harbor IOS.
TACACS is running on Cisco ISE redundant platform.
Layer 2/3 switches and routers, with VRF also (not including Nexus):
aaa group server tacacs+ TACACS_PLUS
server-private XX.XX.X.XXX timeout 2 key <password>
server-private XX.XX.X.XXX timeout 2 key <password>
Optional: ip vrf forwarding <vrf name>
aaa authorization config-commands
aaa authentication login default group TACACS_PLUS local
aaa authentication enable default group TACACS_PLUS enable
aaa authorization exec default group TACACS_PLUS local
aaa authorization commands 0 default group TACACS_PLUS if-authenticated
aaa authorization commands 1 default group TACACS_PLUS if-authenticated
aaa authorization commands 15 default group TACACS_PLUS if-authenticated
aaa accounting commands 0 default start-stop group TACACS_PLUS
aaa accounting commands 1 default start-stop group TACACS_PLUS
aaa accounting commands 15 default start-stop group TACACS_PLUS
Nexus 5K, 6K, 7K (tested):
feature tacacs+
tacacs-server host XX.XX.X.XXX key <password> timeout 2
tacacs-server host XX.XX.X.XXX key <password> timeout 2
aaa group server tacacs+ TACACS_PLUS
server XX.XX.X.XXX
server XX.XX.X.XXX
source-interface <ex. vlan/loopback>
!Optional: use-vrf <vrf name>
aaa authentication login default group TACACS_PLUS
aaa authorization config-commands default group TACACS_PLUS
aaa authorization commands default group TACACS_PLUS
aaa accounting default group TACACS_PLUS
Best Answer
Not using a loopback address can cause many problems, as you will likely discover on your own ;-p
The command you quote is used to specify the source interface, if I understand your question. You can only specify one.
If you don't specify the source interface, the router will use the interface closest to the destination, based on the routing table. If you don't specify an interface, then the source interface can change if there is a topology change. Your AAA server may not recognize the new address.
If you do specify a physical interface and that interface goes down, TACACS stops working.
If you use a loopback interface, the source address never changes, since the interface never goes down. This is considered a good practice.