Tacacs Authentication - VRF ?
Hi !
Our Management LAN for accessing the switch is reachable through a VRF.
I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".
This vlxxx is member of this Managment-VRF.
But the switch does NOT send any TACACS request through that particular VRF.
Could you plz help me ?
thx
Hans
I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin
The config is as follows:
aaa new-model
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156
ip vrf forwarding XXXX-General
ip tacacs source-interface GigabitEthernet0/0.9
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
ip vrf XXXX-General
rd 1:10
route-target export 1:10
route-target import 1:10
ip vrf XXXX-Guest
rd 1:30
route-target export 1:30
route-target import 1:30
ip vrf XXXX-Voice
rd 1:20
route-target export 1:20
route-target import 1:20
interface GigabitEthernet0/0
description port21-switch(10.27.1.30)-trunk
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding XXXX-General
ip address 10.27.1.1 255.255.0.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 172
ip vrf forwarding XXXX-Guest
ip address 172.16.27.1 255.255.255.0
interface GigabitEthernet0/0.9
encapsulation dot1Q 9
ip vrf forwarding XXXX-General
ip address 10.235.30.1 255.255.255.0
h323-gateway voip bind srcaddr 10.235.30.1
interface Serial0/0/0:1
description Sprint MPLS
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
service-policy output WAN-INGRESS
interface Serial0/0/0:1.301 point-to-point
ip vrf forwarding XXXX-General
ip address 10.150.1.1 255.255.255.240
frame-relay interface-dlci 301
interface Serial0/0/0:1.401 point-to-point
ip vrf forwarding XXXX-Voice
ip address 10.151.1.1 255.255.255.240
frame-relay interface-dlci 401
interface Serial0/0/0:1.501 point-to-point
ip vrf forwarding XXXX-Guest
ip address 10.152.1.1 255.255.255.240
frame-relay interface-dlci 501
router eigrp 100
no auto-summary
address-family ipv4 vrf XXXX-Voice
auto-summary
autonomous-system 20
exit-address-family
address-family ipv4 vrf XXXX-Guest
network 172.16.0.0
auto-summary
autonomous-system 30
exit-address-family
address-family ipv4 vrf XXXX-General
redistribute bgp 65001 metric 10000 100 255 1 1500
network 10.27.0.0 0.0.255.255
no auto-summary
autonomous-system 2
exit-address-family
router bgp 65001
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf XXXX-Voice
neighbor 10.151.1.2 remote-as 1803
neighbor 10.151.1.2 password 7 153E0xxxxx3627
neighbor 10.151.1.2 version 4
neighbor 10.151.1.2 activate
no synchronization
exit-address-family
address-family ipv4 vrf XXXX-Guest
neighbor 10.152.1.2 remote-as 1803
neighbor 10.152.1.2 password 7 1062001xxx318180138
neighbor 10.152.1.2 version 4
neighbor 10.152.1.2 activate
no synchronization
exit-address-family
address-family ipv4 vrf XXXX-General
neighbor 10.150.1.2 remote-as 1803
neighbor 10.150.1.2 password 7 07232xxxx41816031719
neighbor 10.150.1.2 version 4
neighbor 10.150.1.2 activate
no synchronization
network 10.27.0.0 mask 255.255.0.0
network 10.235.30.0 mask 255.255.255.0
exit-address-family
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.49
tacacs-server directed-request
tacacs-server key 7 080Cxxxxxxxxxx
Any insight would be great.
[email protected]
Chris Serafin
Similar Messages
-
Gooday
Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?
here is my current config
aaa group server tacacs+ tacacs1
server-private 183.x.x.x key 7 XXXXXX
ip vrf forwarding NMS
ip tacacs source-interface Vlan89
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
ip vrf NMS
description OOB NMS VRF
rd 110:100
interface Vlan89
description to DIA monitoring
ip vrf forwarding NMS
ip address 183.109.191.11 255.255.255.0
end
ip vrf NMS
thanksthanks Carlos,
I followed your suggestion, i think there will be only change in the aaa authentication statement,
I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection
The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
ans: yes, first it will ask for the local password
below is the debug
AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#
crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602#
AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#
crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602# -
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts** -
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
Tacacs+ authentication/authorization based on user's subnet
Hi Guys/Girls
We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
Your feedback will be appreciated and rated.
Thanks
Rizwan RafeekRiswan,
This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
Here is an example of how the tacacs authentication is performed.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts* -
TACACS+ Authentication For Cisco NAM
Hi All,
I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
Please advise.
Thks and RgdsSteven
I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
HTH
Rick -
Can I intergrate TACACS+ authentication with MS AD?
hi, I would like to using MS AD account as a tacacs authentication account. I use tac_plus-F4.0.4.7 on Freebsd. Does anyone get some ideas? thank you!
Although that is an interesting thought, I am also not up on that software and not sure this would be the best place to get that answer. For Cisco's Secure ACS, it is merely a click of the button. ACS from Cisco has many other features that I do know are not availabe in the few open source TACACS+ servers i have seen. I see no advantage even for small companies going this route given that the savings in dollars is little compared to the loss in functionality and interoperability among Cisco's products.
-
Tacacs authentication problem.
Hy,
I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
I have an ACS v.4.x to use as a Tacacs server.
In all the equipments I have aaa authentication with tacacs and vlans.
To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
With this scenario the tacacs authentication works.
If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
I do not understand why!!?
I have another problem, this time with the firewall.
I configured the tacacs and the aaa in the firewall, as advised by Cisco.
But it seems that it doesn’t work!
In this two cases only the local authentication works.
Can you help me, please?
Thanks in advance,
Rui OliveiraHy,
I am doing tests in a Lab.
So, the addresses presented here are not Internet routable.
The configuration for the tacacs at the ASA is:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
key mykey
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command LOCAL
aaa accounting enable console TACACS
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa local authentication attempts max-fail 5
aaa authorization exec LOCAL
I´m doing the tests with an ASA with a the IP address 10.183.0.61.
And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
I have another interface that a called GESTAO, with IP address 10.183.0.61.
This interface GESTAO is connected to a management vlan.
My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
I send the logging file that I take from my firewall.
Thanks,
Rui -
TACACS+ authentication fails VPN3000 administration sessions
I have a problem when running TACACS+ authentication of VPN3000 administration sessions. If the admin account in the AAA-server has an expired password the login fails to the VPN3000. If I login to a router with the same account connected to the same AAA-server I get a prompt that tells me to change password since it has expired. After changing password through that login to a router I can also login to the VPN3000. Is it a limitation in VPN3000? Does it have a hard time presenting a password change dialog on a webpage?
Any help appreciated.
HåkanIn concentrators you won't get any prompt for password expiry. You will have to change the password before it expires.
-
Tacacs per vrf no supported on MLS C3750G
HI,
As i already know the tacacs per vrf not supported for MLS C3750G and some other old versin of the IOS router or switch, but now i have 2 vrf routing tables configured in my switch is there any work around for this thing to work?? really aprreicated your inputs guys!!!Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
Thanks and sorry if I didn't make self clear at the beginning of my first post. -
ANM 4.2 Tacacs authentication
The documentation for configuring Tacacs authentication at this link (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1267519) states the following:
Note For the ACE to properly perform user authentication using a TACACS+ server, the username and password must be identical on both ANM and the TACACS+ server.
If the user id and password have to be the same, what is the point of using Tacacs for authentication? Someone tell me that I can use a TACACS+ server without being forced to keep the user id and password synched between ANM and Tacacs.This has now been corrected
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1275208
Matthew -
Software to test RADIUS/TACACS authentication to ACS server
Hi experts,
Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
Thanks in advance!If you look in the ACS utils folder you'll see radtest and tactest.exe
These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
Darran -
Tacacs+ Authenticating the Enable Password
I have the following configuration on my switch and it works correctly:
aaa group server tacacs+ tacacs_serv
server 192.168.70.20
aaa authentication login tac_auth group tacacs_serv local
line vty 0 15
login authentication tac_auth
transport input ssh
The configuration above works correctly, my username/pwd are authenticated via Tacacs+ and the "enable" password is confirmed via the local database on the switch.
When I make the following changes attempeing to have Tacacs validate the username/pwd as well as the "enable" password I cannot log into the switch at all.
aaa group server tacacs+ tacacs_serv
server 192.168.70.20
aaa authentication login default group tacacs_serv local
aaa authentication enable default group tacacs_serv enable
line vty 0 15
login authentication default
transport input ssh
The switch is running 12.2(44)SE6. The username/pwd are in the local database of the Linux server. The Enable password is configured in two places within the tac_plus.conf file:
host = 192.168.70.15 {
prompt = "Enter your Username and Password. Username: "
enable = cleartext "password"
AND
user = $enab15$ {
login = cleartext "password"
Any help would be appreciated.
ThanksI added the priv-lvl to enable15:
user = $enabl15$ {
login = cleartext 802.11boingo
priv-lvl = 15
It is also in the testuser config:
user = testuser {
login = PAM
member = admin
service = exec
priv-lvl = 15
It is also in the group config:
group = admin {
# group members who don't have their own login password will be
# looked up in /etc/passwd
#login = file /etc/passwd
login = PAM
# group members who have no expiry date set will use this one
#expires = "Jan 1 1997"
# only allow access to specific routers
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
#default service = permit
Below is the latest debug:
CCG-WLA-TEST-SWT-1>ena
Password:
Dec 10 16:06:45.755: AAA: parse name=tty0 idb type=-1 tty=-1
Dec 10 16:06:45.755: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Dec 10 16:06:45.755: AAA/MEMORY: create_user (0x1F3CB4C) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): port='tty0' list='' action=LOGIN service=ENABLE
Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): using "default" list
Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): Method=tacacs_serv (tacacs+)
Dec 10 16:06:45.755: TAC+: send AUTHEN/START packet ver=192 id=-1121100826
Dec 10 16:06:46.057: TAC+: ver=192 id=-1121100826 received AUTHEN status = GETPASS
Dec 10 16:06:46.057: AAA/AUTHEN (3173866470): status = GETPASS
% Error in authentication. -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
How to use tacacs+ authentication to assign a group policy at login in Cisco ASA
Hi everyone
As title, anyone knows how it works?
I only found it can work with LDAP authentication, but not in TACACS+
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
please give me a hand, thanks.Hi Karten,
I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
I am not sure what could be the issue and appreciate if you can advise.
thanks in advance.
Maybe you are looking for
-
I have problem with iphone4....it closed and it does not open
my iphone closed and it does not open
-
Mac Pro Dual Monitors in Boot Camp Windows 8.1 Pro
I just set up my 2013 Mac Pro with Bootcamp using Windows 8.1 Pro x64 and so far everything works great (albeit the initial setup was a struggle) except that Windows won't use my 2nd monitor. In device manager I see both displays but one has the exc
-
Itunes freezes when i connect my touch
I just got my touch and when I try to sync It does a few songs but then I get the pinwheel and i have to force quit itunes Help!
-
Has this happened to anyone?????
Has anyone downloaded a song or album by mistake? And did Apple ever reimburse you for that mistake? Were they prompt? I, by mistake, downloaded an entire album I did not intend to download...... I had $10.00 remaining on my gift card and my account
-
How to listen to Pandora or Sirius Apps on pioneer AVH-P3200BT
Just bought a Pioneer AV unit. Its AVH-P3200BT and it has the usb and aux in the front. I cant seem to listen to my apps unless it through the aux port. The sound quality stinks. I called Pioneer and they recommended that I try their CD-IU50V. Not su