ANM 4.2 Tacacs authentication
The documentation for configuring Tacacs authentication at this link (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1267519) states the following:
Note For the ACE to properly perform user authentication using a TACACS+ server, the username and password must be identical on both ANM and the TACACS+ server.
If the user id and password have to be the same, what is the point of using Tacacs for authentication? Someone tell me that I can use a TACACS+ server without being forced to keep the user id and password synched between ANM and Tacacs.
This has now been corrected
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1275208
Matthew
Similar Messages
-
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
Tacacs+ authentication/authorization based on user's subnet
Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan RafeekRiswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts* -
TACACS+ Authentication For Cisco NAM
Hi All,
I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
Please advise.
Thks and RgdsSteven
I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
HTH
Rick -
Can I intergrate TACACS+ authentication with MS AD?
hi, I would like to using MS AD account as a tacacs authentication account. I use tac_plus-F4.0.4.7 on Freebsd. Does anyone get some ideas? thank you!
Although that is an interesting thought, I am also not up on that software and not sure this would be the best place to get that answer. For Cisco's Secure ACS, it is merely a click of the button. ACS from Cisco has many other features that I do know are not availabe in the few open source TACACS+ servers i have seen. I see no advantage even for small companies going this route given that the savings in dollars is little compared to the loss in functionality and interoperability among Cisco's products.
-
Tacacs authentication problem.
Hy,
I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
I have an ACS v.4.x to use as a Tacacs server.
In all the equipments I have aaa authentication with tacacs and vlans.
To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
With this scenario the tacacs authentication works.
If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
I do not understand why!!?
I have another problem, this time with the firewall.
I configured the tacacs and the aaa in the firewall, as advised by Cisco.
But it seems that it doesn’t work!
In this two cases only the local authentication works.
Can you help me, please?
Thanks in advance,
Rui OliveiraHy,
I am doing tests in a Lab.
So, the addresses presented here are not Internet routable.
The configuration for the tacacs at the ASA is:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
key mykey
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command LOCAL
aaa accounting enable console TACACS
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa local authentication attempts max-fail 5
aaa authorization exec LOCAL
I´m doing the tests with an ASA with a the IP address 10.183.0.61.
And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
I have another interface that a called GESTAO, with IP address 10.183.0.61.
This interface GESTAO is connected to a management vlan.
My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
I send the logging file that I take from my firewall.
Thanks,
Rui -
TACACS+ authentication fails VPN3000 administration sessions
I have a problem when running TACACS+ authentication of VPN3000 administration sessions. If the admin account in the AAA-server has an expired password the login fails to the VPN3000. If I login to a router with the same account connected to the same AAA-server I get a prompt that tells me to change password since it has expired. After changing password through that login to a router I can also login to the VPN3000. Is it a limitation in VPN3000? Does it have a hard time presenting a password change dialog on a webpage?
Any help appreciated.
HåkanIn concentrators you won't get any prompt for password expiry. You will have to change the password before it expires.
-
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts** -
Software to test RADIUS/TACACS authentication to ACS server
Hi experts,
Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
Thanks in advance!If you look in the ACS utils folder you'll see radtest and tactest.exe
These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
Darran -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
How to use tacacs+ authentication to assign a group policy at login in Cisco ASA
Hi everyone
As title, anyone knows how it works?
I only found it can work with LDAP authentication, but not in TACACS+
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
please give me a hand, thanks.Hi Karten,
I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
I am not sure what could be the issue and appreciate if you can advise.
thanks in advance. -
TACACS Authentication not working with ASA
I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.
I added the configuration below but the authentication fails and no requests come to the ACS server
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.x.x.x
key password
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
Any help would be greatly appreciatedPlease check shared secret key. Remember NDG key overwrites aaa client key.
Make sure acs should have correct ip address of asa in network configuration.
Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec. -
Tacacs authentication with ACE appliance not working
Hi All,
I'm having trouble with a Cisco ACE 4710 appliance using tacacs to authenticate ssh/telnet remote users. Following the CCO documentation we have configured the backend tacacs server (Cisco Secure ACS) and setup the ACE with the required configuration.
tacacs-server key 7 "letmein"
tacacs-server host 192.168.1.1 timeout 5
aaa group server tacacs+ ACStac
server 192.168.1.1
aaa authentication login default group ACStac local
So far no luck in successfully authenticating any users. I can see in the log on the ACS a key mismatch error however I have 100% verified the keys are identical, im thinking this may be a bug?
Furthermore when I paste in the tacacs-server key it gets converted to a type 7 in the running configuration even though I use the no encryption option. Anyone have any ideas? The ACE is running version A3(2.3)
Thanks in advanceHi Matt,
Please remove the shared secret of teh NDG and test.
Regards,
Anisha
P.S.: please rate this post if ypou feel your query is answered -
Tacacs+ authentication errors
I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?
Here is the config I have on the switch. (sorry should have sent this already).
aaa new-model
aaa authentication login default group tacacs+ none
aaa authentication login no_aaa none
aaa authorization exec default group tacacs+ none
aaa authorization exec no_aaa none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization commands 15 no_aaa none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
interface VLAN1
ip address 10.200.1.16 255.255.255.0
no ip directed-broadcast
no ip route-cache
ip tacacs source-interface VLAN1
tacacs-server host 10.200.35.250
tacacs-server key cisco
line con 0
authorization commands 15 no_aaa
authorization exec no_aaa
login authentication no_aaa
transport input none
stopbits 1
line vty 5 15 -
Tacacs authentication with dedicated passwd file
Hi all,
i'm trying to setup a tacacs server (the free version for linux). It is possible to use the linux /etc/passwd file to store the users/passwords.
But i am trying to setup a dedicated passwd-style file to keep the tacacas users seperate from the linux OS users.
There is a command in the tacacs config like:
default authentication = file /etc/passwd
enable = file /etc/passwd
How can i use a seperate file for this authentication type? I used the statemend "default authentication = file /etc/mypasswd.txt"
but this does not work
The mypasswd.txt looked like this:
testuser:mypasswordcleartext
testuser2:mypassworddesencrypted
None of these statemens worked for me and i always get "authentication error"
I was not able to find a documentation about this. Does anybody know if this is possible at all, and how the mypasswd.txt must look like??
Thanks in advance.There's some documentation that tells you about setting
remote credentials. Have a look here:
http://livedocs.adobe.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDo cs_Parts&file=00001109.html
And here
http://livedocs.adobe.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDo cs_Parts&file=00001109.html
Maybe you are looking for
-
I am running ImageJ (from the NIH) on several of our machines and on some machines JFileChooser is lightning fast, while others exhibit the same slowness spoken of in another JFileChooser thread that is now in a locked state. We open large image file
-
Abap role in the enterprise portal?
Can anyone give me a clear picture abt the enterprise protal and abap role in that?
-
Place multiple pdfs into separate indesign and export to pdf again
Ok I have a lot of PDFs that I need to place into indesign in their own file, then re-export back as a PDF again. Can anyone recommend a script for this if there is one? All the pdfs have different page counts etc. and I don't need to save the Indesi
-
Windows 2012 Domain Controller NETLOGON error
We have Sonicwall firewall user authentication System active since last two months. We have Windows 2012 Active directory server setup with around 1400 user account created. These accounts were created by using following PowerShell scripts Import-Mod
-
I imported a full tape (video file) from my camcorder which shows around 12 Gb. I have deleted clips and resaved the file to create 3 different files to import in to idvd but all three files are still 12Gb when they are alot shorter then the original