ANM 4.2 Tacacs authentication

Similar Messages

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• Tacacs+ authentication/authorization based on user's subnet

  Hi Guys/Girls
  We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
  I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
  In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
  So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
  Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
  Your feedback will be appreciated and rated.
  Thanks
  Rizwan Rafeek

  Riswan,
  This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
  Here is an example of how the tacacs authentication is performed.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
  thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• TACACS+ Authentication For Cisco NAM

  Hi All,
  I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
  For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
  Please advise.
  Thks and Rgds

  Steven
  I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
  If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
  HTH
  Rick

• Can I intergrate TACACS+ authentication with MS AD?

  hi, I would like to using MS AD account as a tacacs authentication account. I use tac_plus-F4.0.4.7 on Freebsd. Does anyone get some ideas? thank you!

  Although that is an interesting thought, I am also not up on that software and not sure this would be the best place to get that answer. For Cisco's Secure ACS, it is merely a click of the button. ACS from Cisco has many other features that I do know are not availabe in the few open source TACACS+ servers i have seen. I see no advantage even for small companies going this route given that the savings in dollars is little compared to the loss in functionality and interoperability among Cisco's products.

• Tacacs authentication problem.

  Hy,
  I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
  All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
  I have an ACS v.4.x to use as a Tacacs server.
  In all the equipments I have aaa authentication with tacacs and vlans.
  To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
  With this scenario the tacacs authentication works.
  If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
  I do not understand why!!?
  I have another problem, this time with the firewall.
  I configured the tacacs and the aaa in the firewall, as advised by Cisco.
  But it seems that it doesn’t work!
  In this two cases only the local authentication works.
  Can you help me, please?
  Thanks in advance,
                        Rui Oliveira

  Hy,
  I am doing tests in a Lab.
  So, the addresses presented here are not Internet routable.
  The configuration for the tacacs at the ASA is:
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
  key mykey
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authorization command LOCAL
  aaa accounting enable console TACACS
  aaa accounting telnet console TACACS
  aaa accounting ssh console TACACS
  aaa local authentication attempts max-fail 5
  aaa authorization exec LOCAL
  I´m doing the tests with an ASA with a the IP address 10.183.0.61.
  And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
  Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
  I have another interface that a called GESTAO, with IP address 10.183.0.61.
  This interface GESTAO is connected to a management vlan.
  My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
  I send the logging file that I take from my firewall.
  Thanks,
             Rui

• TACACS+ authentication fails VPN3000 administration sessions

  I have a problem when running TACACS+ authentication of VPN3000 administration sessions. If the admin account in the AAA-server has an expired password the login fails to the VPN3000. If I login to a router with the same account connected to the same AAA-server I get a prompt that tells me to change password since it has expired. After changing password through that login to a router I can also login to the VPN3000. Is it a limitation in VPN3000? Does it have a hard time presenting a password change dialog on a webpage?
  Any help appreciated.
  Håkan

  In concentrators you won't get any prompt for password expiry. You will have to change the password before it expires.

• Problem setting 7606 router for TACACS+ authentication

  Hello Support Community,
  I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
  I use the two servers to authenticate many other Cisco devices in the network they are working fine.
  I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
  The server key is hidden but at the time of configuration, I can ascertain that it's correct.
  The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
  Please study the outputs below and help point out what I may need to change.
  PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
  Please help I'm stuck.
  ROUTER#sh running-config | sec aaa
  aaa new-model
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  aaa session-id common
  ROUTER#sh running-config | sec tacacs
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  tacacs server admin
  address ipv4 1.1.1.1
  key 7 XXXXXXXXXXXXXXXXXXXX
  tacacs server admin1
  address ipv4 2.2.2.2
  key 7 XXXXXXXXXXXXXXXXxxxx
  line vty 0 4
  login authentication admin
  ROUTER#sh tacacs
  Tacacs+ Server -  public  :
                 Server name: admin
              Server address: 1.1.1.1
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Tacacs+ Server -  public  :
                 Server name: admin1
              Server address: 2.2.2.2
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 
  Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  ROUTER#sh ver
  Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Fri 30-Mar-12 08:34 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
  BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
  Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
  System returned to ROM by reload (SP by reload)
  System restarted at 20:00:59 UTC Wed Aug 28 2013
  System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
  Last reload type: Normal Reload
  Last reload reason: power-on
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
  Processor board ID FOX1623G61B
  BASEBOARD: RSP720
  CPU: MPC8548_E, Version: 2.1, (0x80390021)
  CORE: E500, Version: 2.2, (0x80210022)
  CPU:1200MHz, CCB:400MHz, DDR:200MHz,
  L1:    D-cache 32 kB enabled
          I-cache 32 kB enabled
  Last reset from power-on
  3 Virtual Ethernet interfaces
  76 Gigabit Ethernet interfaces
  8 Ten Gigabit Ethernet interfaces
  3964K bytes of non-volatile configuration memory.
  500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
  Configuration register is 0x2102

  In order to resolve this issue. Please replace the below listed command
  aaa authentication login admin group tacacs+ local enable
  with;
  aaa authentication login default group admin local enable
  You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
  Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Software to test RADIUS/TACACS authentication to ACS server

  Hi experts,
  Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
  Thanks in advance!

  If you look in the ACS utils folder you'll see radtest and tactest.exe
  These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
  I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
  Darran

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• How to use tacacs+ authentication to assign a group policy at login in Cisco ASA

  Hi everyone
  As title, anyone knows how it works?
  I only found it can work with LDAP authentication, but not in TACACS+
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
  please give me a hand, thanks.

  Hi Karten,
  I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
  I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
  I am not sure what could be the issue and appreciate if you can advise.
  thanks in advance.

• TACACS Authentication not working with ASA

  I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.
  I added the configuration below but the authentication fails and no requests come to the ACS server
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ host 10.x.x.x
  key password
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  Any help would be greatly appreciated

  Please check shared secret key. Remember NDG key overwrites aaa client key.
  Make sure acs should have correct ip address of asa in network configuration.
  Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec.

• Tacacs authentication with ACE appliance not working

  Hi All,
  I'm having trouble with a Cisco ACE 4710 appliance using tacacs to authenticate ssh/telnet remote users. Following the CCO documentation we have configured the backend tacacs server (Cisco Secure ACS) and setup the ACE with the required configuration.
  tacacs-server key 7 "letmein"
  tacacs-server host 192.168.1.1 timeout 5
  aaa group server tacacs+ ACStac
    server 192.168.1.1
  aaa authentication login default group ACStac local
  So far no luck in successfully authenticating any users. I can see in the log on the ACS a key mismatch error however I have 100% verified the keys are identical, im thinking this may be a bug?
  Furthermore when I paste in the tacacs-server key it gets converted to a type 7 in the running configuration even though I use the no encryption option. Anyone have any ideas? The ACE is running version A3(2.3)
  Thanks in advance

  Hi Matt,
  Please remove the shared secret of teh NDG and test.
  Regards,
  Anisha
  P.S.: please rate this post if ypou feel your query is answered

• Tacacs+ authentication errors

  I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?

  Here is the config I have on the switch. (sorry should have sent this already).
  aaa new-model
  aaa authentication login default group tacacs+ none
  aaa authentication login no_aaa none
  aaa authorization exec default group tacacs+ none
  aaa authorization exec no_aaa none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none
  aaa authorization commands 15 no_aaa none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  interface VLAN1
  ip address 10.200.1.16 255.255.255.0
  no ip directed-broadcast
  no ip route-cache
  ip tacacs source-interface VLAN1
  tacacs-server host 10.200.35.250
  tacacs-server key cisco
  line con 0
  authorization commands 15 no_aaa
  authorization exec no_aaa
  login authentication no_aaa
  transport input none
  stopbits 1
  line vty 5 15

• Tacacs authentication with dedicated passwd file

  Hi all,
  i'm trying to setup a tacacs server (the free version for linux). It is possible to use the linux /etc/passwd file to store the users/passwords.
  But i am trying to setup a dedicated passwd-style file to keep the tacacas users seperate from the linux OS users.
  There is a command in the tacacs config like: 
  default authentication = file /etc/passwd
  enable = file /etc/passwd
  How can i use a seperate file for this authentication type? I used the statemend "default authentication = file /etc/mypasswd.txt"
  but this does not work
  The mypasswd.txt looked like this:
  testuser:mypasswordcleartext
  testuser2:mypassworddesencrypted
  None of these statemens worked for me and i always get "authentication error"
  I was not able to find a documentation about this. Does anybody know if this is possible at all, and how the mypasswd.txt must look like??
  Thanks in advance.

  There's some documentation that tells you about setting
  remote credentials. Have a look here:
  http://livedocs.adobe.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDo cs_Parts&file=00001109.html
  And here
  http://livedocs.adobe.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDo cs_Parts&file=00001109.html