RADIUS or TACACS Server Recommendations

Similar Messages

• IP address sent to TACACS server

  Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?

  Hi
  FYI,
  Device  Filter—Filters a network device (AAA client) that acts as a Policy  Enforcement Point (PEP) to the end station based on the network device's  IP address or name, or the network device group that it belongs to.
  The  device identifier can be the IP address or name of the device, or it  can be based on the network device group to which the device belongs.
  The  IP address is a protocol-agnostic attribute of type IPv4 that contains a  copy of the device IP address obtained from the request:
  –In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present,  ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32  (NAS-Identifier) is present, ACS obtains the IP address from Attribute  32, or it obtains the IP address from the packet that it receives.
  –In a TACACS request, the IP address is obtained from the packet that ACS receives.

• LMS 4.0/4.1 as tacacs server

     Hi Just a quick one, been looking to consolidate a number of management products and LMS seems to tick nearly all of them off except Tacacs requirement. I've been looking through various LMS Guides and trying to find out if the LMS can act as a tacacs server as I would like to get ride of the current unix system or do I need to use another solution? If so can anyone suggest something that works well with LMS...
  Thanks.

  LMS does not include a TACACS+ or any other AAA server.  It is strongly recommended that you do not install one along side the LMS server on the same logical server.  The reason for this is that you do not want NMS maintenance to affect your network access.  You also want to limit the number of potential attack vectors one could use to compromise your AAA server.
  The leading recommendation is to put your AAA application on a dedicated physical server with strict physical and network access restricitions.  If that is not possible, at least dedicate a virtual machine for AAA.

• Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

  I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
  Thanks.

  Hi
  We (extraxi) offer migration and general consultancy for ACS if you need professional help.
  www.extraxi.com/contact.htm

• IOS Access Point Bombards TACACS+ Server with Requests

  Problem: When using the web GUI to manage an IOS access point such as the AP350, AP1100, or AP1200, and when using TACACS+ to authenticate the HTTP accesses, the access point will send numerous authentication requests to the TACACS+ server for each web page accessed.
  Workaround given by cisco was to use single-connection tacacs server.
  My question:
  How to implement this command? Is it as below
  "tacacs-server host x.x.x.x single-connection port 49 key test".
  I've tried using this command but still getting numerous authentication request.
  Any help?
  regards,
  Ganesh

  We experienced similar problems. We were instructed to use local authentication at the current time. Something about HTTP requiring authentication for each part of the page that accesses data. The configuration line is:
  ip http authentication local
  The single connection did not help. We were also advised that if we required ACS HTTP authentication to use RADIUS because it scaled better than TACACS and would not be as impacted as TACACS. If neither of these are an option, another workaround is to, disable logging "passed authentications". We tested this and it prevented our ACS server from pegging the cpu, memory and I/O write queues. We opted for local authentication because the lack of "passed authentication" logs impacted our troubleshooting.
  Good Luck
  Gerry

• Ucs radius versus tacacs

  Greetings,
  We are running UCS Manager 2.1(3c) and are currently using RADIUS authentication to an ACS4 server.
  We are in the process of upgrading to ACS5.6 and my question is around the authentication and accounting protocols.
  Q:  Which is best, or suitable - RADIUS or TACACS?
  I know in the past there have been limitations of both protocols for various functions.  We have simple needs...  2 levels of RBAC - Full Read-Write access (Administrator as defined in local UCS parlance) and Read-Only (Operations as defined locally on UCS).
  Given those parameters, would TACACS be suitable, and will that give sufficient accounting functionality?
  Thanks in advance.
  Reece...

  I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
  NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
  Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
  Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• How to configure management authentication on IAP using Tacacs Server?

  Requirement:
  Instant access points come with default username and password i.e  admin/admin.  This does not go long way, as the IAP start finding their place in campus and corporate networks.
  With many administrators managing and monitoring the clustered IAP networks, TACACS or Active Directory based authentication is more useful.
  Solution:
  Keep this in view, IAP development teams have integrated TACACS and Radius based management authentication. 
  Configuration:
  Follow the below steps to configure radius authentication in IAP:
  Login to IAP web interface
  Select "System" from the main menu and then click on "Admin" tab
  Under local authentication, select as "Authentication Server"
  Under the "Auth Server 1" Select "New Server"
  Filling the name, IP address and shared key for Tacacs server and click OK.
  Verification
  Logout of the IAP web interface and try logging in using the username and password on TACACS server.

  I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication.  The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

• How have multiple NDGs for same tacacs+ server

  I have Secure ACS 4.2 installed. I am using it for vpn access with Radius and tacacs+ access for network device mgmt. I want to setup multiple NDGs but have them all use the same ACS tacacs+ server. How do I do that? Each time I add a new NDG and try to add a AAA server with the same IP and tacacs+ it tells me it overlaps with a current one configured.

  You cannot add same device again with same authentication method.
  BUT
  You can add same device with different authentication method. see the example below
  1
  Name--->device
  IP ----> 1.1.1.1
  secret---->xxxxx
  Authenticate using --->Radius IETF
  2
  Name--->device1
  IP ----->1.1.1.1
  secret ----->x.x.x.x
  Authenticate using---->tacacs IOS
  Also same device cannot be a part of more then on NDG.
  Regards,
  ~JG
  Do rate helpful posts

• Not able to login to router using ssh when TACACS server is down

  When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
  kindly see below debug output and config
  SSH server end:
  Sep 1 13:25:10.161: SSH1: starting SSH control process
  Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
  Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
  Sep 1 13:25:10.397: SSH: RSA decrypt started
  Sep 1 13:25:10.925: SSH: RSA decrypt finished
  Sep 1 13:25:10.925: SSH: RSA decrypt started
  Sep 1 13:25:11.165: SSH: RSA decrypt finished
  Sep 1 13:25:11.197: SSH1: sending encryption confirmation
  Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
  Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
  Sep 1 13:25:11.269: SSH1: authentication request for userid rao
  Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
  Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
  Sep 1 13:25:17.317: SSH1: authentication successful for rao
  Sep 1 13:25:17.413: SSH1: requesting TTY
  Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
  ngth 25, width 80
  Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
  Sep 1 13:25:17.525: SSH1: starting shell for vty
  Sep 1 13:25:25.033: SSH1: Session terminated normally
  SSH Client end Log:
  % Authorization failed.
  [Connection to 10.255.15.2 closed by foreign host]
  COnfig:
  aaa authentication login default group tacacs+ line local
  aaa authentication login NO_AUTH line
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization configuration default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  ip domain-name cbi.co.in
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  line vty 0 4
  password xxxx
  transport input telnet ssh
  Kindly reply your views

  I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
  % Authorization failed.
  I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
  aaa authorization config-commands
  I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
  HTH
  Rick

• IOS 15 not working with my TACACS server

  Hi All,
  I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
  This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
  I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
  Am I missing something?
  aaa new-model
  aaa group server tacacs+ ACS1
  server name AUTH
  aaa authentication login ACS-List group ACS1 local
  aaa authorization exec ACS-List group ACS1 local
  aaa accounting commands 15 ACS-List
  action-type start-stop
  group ACS1
  aaa session-id common
  acacs-server directed-request
  tacacs server AUTH
  address ipv4 172.x.x.x
  key 7 xxxxxxxx
  and on my VTY Lines...
  privilege level 15
  password 7 151619050826222A2F
  authorization exec ACS-List
  accounting commands 15 ACS-List
  accounting exec ACS-List
  login authentication ACS-List
  length 0
  transport input telnet ssh

  I ran those debugs, then tried to login on another telnet session -
  Jul  2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
  Jul  2 15:01:57.278: TPLUS: processing accounting request id 1781
  Jul  2 15:01:57.278: TPLUS: Sending AV task_id=1997
  Jul  2 15:01:57.278: TPLUS: Sending AV timezone=SIN
  Jul  2 15:01:57.278: TPLUS: Sending AV service=shell
  Jul  2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
  Jul  2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
  Jul  2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
  Jul  2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
  Jul  2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
  Jul  2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
  Jul  2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
  Jul  2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
  Jul  2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
  Jul  2 15:02:11.658: TPLUS: processing authentication start request id 1785
  Jul  2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
  Jul  2 15:02:11.662: TPLUS: Using server 172.x.x.x
  Jul  2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
  Jul  2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
  Jul  2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
  Jul  2 15:02:24.474: TPLUS: processing authentication start request id 1785
  Jul  2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
  Jul  2 15:02:24.474: TPLUS: Using server 172.x.x.x
  Jul  2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

• VPDN static IP address assign by TACACS server (ACS 2.3 for UNIX)

  Is it possible assign static IP address for VPDN users by TACACS server ?
  If yes, please give me some ideas how to do it?
  thanks,
  bm

  I think that is possible only while using CSACS for windows but not with CSACS for UNIX. Atleast I couldn't find anything in the documentation. (CiscoSecure ACS 2.3 for UNIX User Guide http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_book09186a00800eb438.html)

• TACACS+ Server not logging events.

  Hi all,
  I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
  Here is the config I used on one of our routers.
  aaa group server tacacs+ prego
  server xxx.xxx.xxx.xxx
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting exec default start-stop group prego
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  ip subnet-zero
  Also here is a sh verion
  Cisco Internetwork Operating System Software
  IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 25-Sep-03 22:23 by eaarmas
  Image text-base: 0x60008954, data-base: 0x61C2C000
  ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
  ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
  PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
  System returned to ROM by power-on
  System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
  cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
  Processor board ID JMX0749L1XC
  R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
  Bridging software.
  X.25 software, Version 3.0.0.
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  2 FastEthernet/IEEE 802.3 interface(s)
  2 Serial network interface(s)
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of non-volatile configuration memory.
  31360K bytes of ATA System CompactFlash (Read/Write)
  Configuration register is 0x2102
  Any help would be great.
  Thank you
  Joseph Jackson

  If you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
  So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
  As a next step in investigating this issue I suggest that you run two debugs on the router:
  debug aaa accounting
  debug tacacs accounting
  While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
  HTH
  Rick

• Can't configure tacacs-server port

  We're unable to configure a specific port, which is required for our customer for the tacacs-server.   One of the devices is a 7604 router running this image -
  c7600rsp72043-adventerprisek9-mz.122-33.SRD6.bin.  The other device is a 2960 switch with the following image - c2960-lanbasek9-mz.122-35.SE5.bin.
  We don't get the option to add a port after the tacacs-server host x.x.x.x command. 
  Any ideas would be greatly appreciated!
  Regards..

  Hi
  Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

• Tac_Plus (open source TACACS+ server) and NAM (Network Analysis Module)

  I am trying to setup our cisco NAM's to authenticate against our open source tac_plus server.  I see traffic on port 49 between the NAM and server but I keep on getting an invalid username/password error.  I do not see any invalid logon attemps in our tacacs log.
  The tacacs server running and I am able to authenticate against it when I am logging onto our routers and switches.  I have created the following group for NAM authentication on the server ("namuser" is able to log onto our routers/switches):
  group = nam {
  cmd = web { permit capture
  permit system
  permit collection
  permit account
  permit alarm
  permit view }
  user = namuser {
  member = nam
  login = pam tac_plus

  switch config
  aaa new-model
  aaa authentication username-prompt login:
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 15 default group tacacs+ local
  tacacs-server host x.x.x.x
  tacacs-server directed-request
  tacacs-server key ********

• Configuring TACACs Server for Cisco VPN 3000

  Does anyone know how to get to the configuration setting to specify a TACACs server?

  You need to be very careful when setting
  up this thing. If the AAA server is down
  for whatever reason, you will NOT be able to
  log into the Concentrator again. As far
  as the VPn3k console is concerns, it will
  let you login with the "admin" account,
  even though the AAA is up and running. In
  other words, you can login from console
  with both "admin" and AAA account at the same
  time.
  What a mess.