Tacacs Authentication - VRF ?

Similar Messages

• Tacacs per VRF

  Gooday
  Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?
  here is my current config
  aaa group server tacacs+ tacacs1
  server-private 183.x.x.x key 7 XXXXXX
  ip vrf forwarding NMS
  ip tacacs source-interface Vlan89
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 0 default group tacacs+ none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none
  ip vrf NMS
  description OOB NMS VRF
  rd 110:100
  interface Vlan89
  description to DIA monitoring
  ip vrf forwarding NMS
  ip address 183.109.191.11 255.255.255.0
  end
  ip vrf NMS
  thanks

  thanks Carlos,
  I followed your suggestion, i think there will be only change in the aaa authentication statement,
  I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection
  The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
  ans: yes, first it will ask for the local password
  below is the debug
  AAA Authentication debugging is on
  crt-tw1-602#
  *Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f 
  *Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
  *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
  *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
  *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
  *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
  *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
  *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
  *Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
  *Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
  *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
  *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
  *Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
  *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
  *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
  *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
  *Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
  *Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
  *Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
  *Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
  *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
  *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
  *Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
  *Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
  *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
  *Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
  *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
  *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
  *Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
  *Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
  *Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
  *Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  crt-tw1-602#
  crt-tw1-602#debug tacacs
  TACACS access control debugging is on
  crt-tw1-602#
  *Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
  *Jan 18 00:41:44: TPLUS: processing authentication start request id 133
  *Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
  *Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
  *Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
  *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
  *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
  *Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
  *Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
  *Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
  *Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
  *Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
  *Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
  *Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
  *Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
  *Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
  *Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
  *Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
  *Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
  *Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
  *Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
  *Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
  *Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
  *Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
  *Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
  *Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
  *Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
  *Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
  *Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
  *Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
  *Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
  *Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
  *Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
  *Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
  *Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
  *Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
  *Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
  *Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
  *Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
  *Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
  *Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
  *Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
  crt-tw1-602#
  crt-tw1-602#
  AAA Authentication debugging is on
  crt-tw1-602#
  *Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f 
  *Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
  *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
  *Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
  *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
  *Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
  *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
  *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
  *Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
  *Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
  *Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
  *Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
  *Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
  *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
  *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
  *Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
  *Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
  *Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
  *Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
  *Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
  *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
  *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
  *Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
  *Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
  *Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
  *Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
  *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
  *Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
  *Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
  *Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
  *Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
  *Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  crt-tw1-602#
  crt-tw1-602#debug tacacs
  TACACS access control debugging is on
  crt-tw1-602#
  *Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
  *Jan 18 00:41:44: TPLUS: processing authentication start request id 133
  *Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
  *Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
  *Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
  *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
  *Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
  *Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
  *Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
  *Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
  *Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
  *Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
  *Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
  *Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
  *Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
  *Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
  *Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
  *Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
  *Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
  *Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
  *Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
  *Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
  *Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
  *Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
  *Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
  *Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
  *Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
  *Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
  *Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
  *Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
  *Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
  *Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
  *Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
  *Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
  *Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
  *Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
  *Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
  *Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
  *Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
  *Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
  *Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
  *Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
  crt-tw1-602#
  crt-tw1-602#

• Problem setting 7606 router for TACACS+ authentication

  Hello Support Community,
  I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
  I use the two servers to authenticate many other Cisco devices in the network they are working fine.
  I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
  The server key is hidden but at the time of configuration, I can ascertain that it's correct.
  The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
  Please study the outputs below and help point out what I may need to change.
  PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
  Please help I'm stuck.
  ROUTER#sh running-config | sec aaa
  aaa new-model
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  aaa session-id common
  ROUTER#sh running-config | sec tacacs
  aaa group server tacacs+ admin
  server name admin
  server name admin1
  ip vrf forwarding OAM
  ip tacacs source-interface GigabitEthernet1
  aaa authentication login admin group tacacs+ local enable
  tacacs server admin
  address ipv4 1.1.1.1
  key 7 XXXXXXXXXXXXXXXXXXXX
  tacacs server admin1
  address ipv4 2.2.2.2
  key 7 XXXXXXXXXXXXXXXXxxxx
  line vty 0 4
  login authentication admin
  ROUTER#sh tacacs
  Tacacs+ Server -  public  :
                 Server name: admin
              Server address: 1.1.1.1
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Tacacs+ Server -  public  :
                 Server name: admin1
              Server address: 2.2.2.2
                 Server port: 49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:          0
          Total Packets Recv:          0
  Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 
  Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
  Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
  ROUTER#sh ver
  Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Fri 30-Mar-12 08:34 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
  BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
  ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
  Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
  System returned to ROM by reload (SP by reload)
  System restarted at 20:00:59 UTC Wed Aug 28 2013
  System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
  Last reload type: Normal Reload
  Last reload reason: power-on
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
  Processor board ID FOX1623G61B
  BASEBOARD: RSP720
  CPU: MPC8548_E, Version: 2.1, (0x80390021)
  CORE: E500, Version: 2.2, (0x80210022)
  CPU:1200MHz, CCB:400MHz, DDR:200MHz,
  L1:    D-cache 32 kB enabled
          I-cache 32 kB enabled
  Last reset from power-on
  3 Virtual Ethernet interfaces
  76 Gigabit Ethernet interfaces
  8 Ten Gigabit Ethernet interfaces
  3964K bytes of non-volatile configuration memory.
  500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
  Configuration register is 0x2102

  In order to resolve this issue. Please replace the below listed command
  aaa authentication login admin group tacacs+ local enable
  with;
  aaa authentication login default group admin local enable
  You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
  Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• Tacacs+ authentication/authorization based on user's subnet

  Hi Guys/Girls
  We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
  I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
  In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
  So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
  Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
  Your feedback will be appreciated and rated.
  Thanks
  Rizwan Rafeek

  Riswan,
  This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
  Here is an example of how the tacacs authentication is performed.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
  thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• TACACS+ Authentication For Cisco NAM

  Hi All,
  I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
  For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
  Please advise.
  Thks and Rgds

  Steven
  I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
  If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
  HTH
  Rick

• Can I intergrate TACACS+ authentication with MS AD?

  hi, I would like to using MS AD account as a tacacs authentication account. I use tac_plus-F4.0.4.7 on Freebsd. Does anyone get some ideas? thank you!

  Although that is an interesting thought, I am also not up on that software and not sure this would be the best place to get that answer. For Cisco's Secure ACS, it is merely a click of the button. ACS from Cisco has many other features that I do know are not availabe in the few open source TACACS+ servers i have seen. I see no advantage even for small companies going this route given that the savings in dollars is little compared to the loss in functionality and interoperability among Cisco's products.

• Tacacs authentication problem.

  Hy,
  I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
  All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
  I have an ACS v.4.x to use as a Tacacs server.
  In all the equipments I have aaa authentication with tacacs and vlans.
  To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
  With this scenario the tacacs authentication works.
  If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
  I do not understand why!!?
  I have another problem, this time with the firewall.
  I configured the tacacs and the aaa in the firewall, as advised by Cisco.
  But it seems that it doesn’t work!
  In this two cases only the local authentication works.
  Can you help me, please?
  Thanks in advance,
                        Rui Oliveira

  Hy,
  I am doing tests in a Lab.
  So, the addresses presented here are not Internet routable.
  The configuration for the tacacs at the ASA is:
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
  key mykey
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authorization command LOCAL
  aaa accounting enable console TACACS
  aaa accounting telnet console TACACS
  aaa accounting ssh console TACACS
  aaa local authentication attempts max-fail 5
  aaa authorization exec LOCAL
  I´m doing the tests with an ASA with a the IP address 10.183.0.61.
  And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
  Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
  I have another interface that a called GESTAO, with IP address 10.183.0.61.
  This interface GESTAO is connected to a management vlan.
  My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
  I send the logging file that I take from my firewall.
  Thanks,
             Rui

• TACACS+ authentication fails VPN3000 administration sessions

  I have a problem when running TACACS+ authentication of VPN3000 administration sessions. If the admin account in the AAA-server has an expired password the login fails to the VPN3000. If I login to a router with the same account connected to the same AAA-server I get a prompt that tells me to change password since it has expired. After changing password through that login to a router I can also login to the VPN3000. Is it a limitation in VPN3000? Does it have a hard time presenting a password change dialog on a webpage?
  Any help appreciated.
  Håkan

  In concentrators you won't get any prompt for password expiry. You will have to change the password before it expires.

• Tacacs per vrf no supported on MLS C3750G

  HI,
  As i already know the tacacs per vrf not supported  for MLS C3750G and some other old versin of the IOS router or switch, but now i have 2 vrf routing tables configured in my switch is there any work around for this thing to work?? really aprreicated your inputs guys!!!

  Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
  My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
  I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
  Thanks and sorry if I didn't make self clear at the beginning of my first post.

• ANM 4.2 Tacacs authentication

  The documentation for configuring Tacacs authentication at this link (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1267519) states the following:
  Note For  the ACE to properly perform user authentication using a TACACS+ server,  the username and password must be identical on both ANM and the TACACS+  server.
  If the user id and password have to be the same, what is the point of using Tacacs for authentication?  Someone tell me that I can use a TACACS+ server without being forced to keep the user id and password synched between ANM and Tacacs.

  This has now been corrected
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1275208
  Matthew

• Software to test RADIUS/TACACS authentication to ACS server

  Hi experts,
  Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
  Thanks in advance!

  If you look in the ACS utils folder you'll see radtest and tactest.exe
  These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
  I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
  Darran

• Tacacs+ Authenticating the Enable Password

  I have the following configuration on my switch and it works correctly:
  aaa group server tacacs+ tacacs_serv
  server 192.168.70.20
  aaa authentication login tac_auth group tacacs_serv local
  line vty 0 15
  login authentication tac_auth
  transport input ssh
  The configuration above works correctly, my username/pwd are authenticated via Tacacs+ and the "enable" password is confirmed via the local database on the switch.
  When I make the following changes attempeing to have Tacacs validate the username/pwd as well as the "enable" password I cannot log into the switch at all.
  aaa group server tacacs+ tacacs_serv
  server 192.168.70.20
  aaa authentication login default group tacacs_serv local
  aaa authentication enable default group tacacs_serv enable
  line vty 0 15
  login authentication default
  transport input ssh
  The switch is running 12.2(44)SE6. The username/pwd are in the local database of the Linux server. The Enable password is configured in two places within the tac_plus.conf file:
  host = 192.168.70.15 {
          prompt = "Enter your Username and Password. Username: "
          enable = cleartext "password"
  AND
  user = $enab15$ {
          login = cleartext "password"
  Any help would be appreciated.
  Thanks

  I added the priv-lvl to enable15:
  user = $enabl15$ {
          login = cleartext 802.11boingo
          priv-lvl = 15
  It is also in the testuser config:
  user = testuser {
          login = PAM
          member = admin
          service = exec
          priv-lvl = 15
  It is also in the group config:
  group = admin {
          # group members who don't have their own login password will be
          # looked up in /etc/passwd
          #login = file /etc/passwd
          login = PAM
          # group members who have no expiry date set will use this one
          #expires = "Jan 1 1997"
          # only allow access to specific routers
          acl = default
          # Needed for the router to make commands available to user (subject
          # to authorization if so configured on the router
          service = exec {
                  priv-lvl = 15
                  #default service = permit
  Below is the latest debug:
  CCG-WLA-TEST-SWT-1>ena
  Password:
  Dec 10 16:06:45.755: AAA: parse name=tty0 idb type=-1 tty=-1
  Dec 10 16:06:45.755: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Dec 10 16:06:45.755: AAA/MEMORY: create_user (0x1F3CB4C) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
  Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): port='tty0' list='' action=LOGIN service=ENABLE
  Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): using "default" list
  Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): Method=tacacs_serv (tacacs+)
  Dec 10 16:06:45.755: TAC+: send AUTHEN/START packet ver=192 id=-1121100826
  Dec 10 16:06:46.057: TAC+: ver=192 id=-1121100826 received AUTHEN status = GETPASS
  Dec 10 16:06:46.057: AAA/AUTHEN (3173866470): status = GETPASS
  % Error in authentication.

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• How to use tacacs+ authentication to assign a group policy at login in Cisco ASA

  Hi everyone
  As title, anyone knows how it works?
  I only found it can work with LDAP authentication, but not in TACACS+
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
  please give me a hand, thanks.

  Hi Karten,
  I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
  I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
  I am not sure what could be the issue and appreciate if you can advise.
  thanks in advance.