TACACs error
Hi,
Ive just tried putting TACACs onto a 7206 VXR (124-4.XD4) and am getting the following error:%AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
Config is vanilla and has been used on other switches/routers in the network:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec start-stop tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated local
aaa authorization commands 0 default group tacacs+ if-authenticated local
aaa authorization commands 15 default group tacacs+ if-authenticated local
tacacs-server key xxx
tacacs-server host x.x.x.x
Ive been unable to find any bugs or info relating to this error on the web. Has anyone else seen this problem?
Cheers.
Hi Rohit,
Thanks for the feedback. Ive removed the command and the issue still appears to be that the router doesnt recognise TACACs although it accepts the commands. When the config is applied it bypasses TACACs for authentication and goes to the enable pwd? The servers reachable via ICMP but showing failed connect attempts along with the AAA-3-BADSERVERTYPEERROR in the log. Ive rolled out the same config across multiple platforms in the network. Its just this box thats sulking.
B2UL-bord1#sh tacac
Tacacs+ Server : 10.2.2.66/49
Socket opens: 33
Socket closes: 33
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 29
Total Packets Sent: 0
Total Packets Recv: 0
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key xxx
Cheers
Similar Messages
-
Not able to ssh to standby GSS
Hi Experts,
I am not able to ssh to standby GSS. It is configured for tacacs... I am able to ssh to primary without any issues.
skdc-gss-int#gss status
TACACS error. Attempting local authorization ...
Cisco GSS - 3.1(0) GSSM - standby [Tue May 26 12:37:25 UTC 2009]
Registered to primary GSSM: 10.71.250.130
Normal Operation [runmode = 5]
START SERVER
May02 Boomerang
May02 Config Agent (crdirector)
May02 Config Server (crm)
May02 DNS Server
May02 Database
May02 GUI Server (tomcat)
May02 Keepalive Engine
May02 Node Manager
May02 Proximity
May02 Sticky
May02 Web Server (apache)
May02 drp
skdc-gss-int#
skdc-gss-int#sh tacacs
TACACS error. Attempting local authorization ...
Current tacacs server configuration
tacacs-server timeout 60
tacacs-server keepalive-enable
tacacs-server host x.x.x.x port 49 key j1b0ia
tacacs-server host y.y.y.y port 49 key j1b0ia
aaa authentication ssh local
aaa authentication gui local
aaa authorization commands
aaa accounting commands
skdc-gss-int#
skdc-gss-int#sh users
TACACS error. Attempting local authorization ...
Username permission
admin admin
skdc-gss-int#I'm facing the same issue...
How did you solve the problem? -
Attaching a JOptionFrame to an Applet
Is it possible to attach a JOptionPane to an applet? If so how can this be done?
Thanks.I already have Null in but it still does not seem to work. Bellow I have giving an example of what my JOptionPane looks like.
Any other suggestions?
Code:
JOptionPane.showMessageDialog(null, "The remote password has expired! Contact System Administrator to re-activate account", "Tacacs+ Error", JOptionPane.WARNING_MESSAGE); -
Hi Expert,
I have two switches, one of switch has problem when I issue TACACS configuration. I have two servers and be able to ping success to the server. I'm doubt when i read description in Cisco docs. Please help to identify the cause. Thanks and appreciate for help.
switch02#test aaa group tacacs+ btela77 Aug2011b legacy
% Authorization failed.
I issue show tacacs found socket error:
switcho02#show tacacs
Tacacs+ Server : 10.52.0.158/49
Socket opens: 4
Socket closes: 4
Socket aborts: 0
Socket errors: 4
Socket timeout: 0
Failed Connect Attempts: 0
Total Packets Sent: 4
Total Packets Recv: 4
Tacacs+ Server : 10.51.65.94/49
Socket opens: 3
Socket closes: 3
Socket aborts: 0
Socket errors: 0
Socket timeout: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0Hi Rick,
The output from debug shown as below
Oct 20 06:26:16.889 GMT: TAC+: decrypt: pak is unencrypted but we have a key
Oct 20 06:26:16.889 GMT: TPLUS(0000005B): Decryption failed for AAA request
Oct 20 06:26:16.889 GMT: TPLUS(0000005B)/0/5F9E820: Processing the reply packet
Oct 20 06:26:16.889 GMT: TPLUS: Received Authen status error
Oct 20 06:26:16.897 GMT: TPLUS(0000005B)/0/REQ_WAIT/5F9E820: timed out
Oct 20 06:26:22.350 GMT: TPLUS(0000005B)/0/READ: read entire 18 bytes response
Oct 20 06:26:22.350 GMT: TAC+: decrypt: pak is unencrypted but we have a key
Oct 20 06:26:22.350 GMT: TPLUS(0000005B): Decryption failed for AAA request
Oct 20 06:26:22.350 GMT: TPLUS(0000005B)/0/5AAF32C: Processing the reply packet
Oct 20 06:26:22.350 GMT: TPLUS: received authorization response for 91: FAIL
Oct 20 06:26:22.350 GMT: AAA/AUTHOR/EXEC(0000005B): Authorization FAILED
The cause of error could be share-key mismatch between switch and TACACS server?
Full debug output in attach. Thanks -
Per-VRF TACACS config gets "Address already in use" error
I have created a per-VRF TACACS config on a couple of network devices. I can ping the ACS servers through the VRF. TACACS makes the attempt to contact the servers, but the following message shows up in the log when I debug TACACS:
*Mar 11 08:57:38 starts: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
*Mar 11 08:57:38 starts: TAC+: TCP/IP open to x.x.x.x/49 failed -- Address already in use
I can't find anything on CCO that references the "Address already in use" message.
Has anyone run into this?Hmmm...no, the server group is still there. Did you see the other post which describes the bug ID? The link to the bug is:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl45701
Do you get the IP address is in use log message? -
Tacacs+ authentication errors
I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?
Here is the config I have on the switch. (sorry should have sent this already).
aaa new-model
aaa authentication login default group tacacs+ none
aaa authentication login no_aaa none
aaa authorization exec default group tacacs+ none
aaa authorization exec no_aaa none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization commands 15 no_aaa none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
interface VLAN1
ip address 10.200.1.16 255.255.255.0
no ip directed-broadcast
no ip route-cache
ip tacacs source-interface VLAN1
tacacs-server host 10.200.35.250
tacacs-server key cisco
line con 0
authorization commands 15 no_aaa
authorization exec no_aaa
login authentication no_aaa
transport input none
stopbits 1
line vty 5 15 -
ACS 5.3 - Error when changing Device group or Location
I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.228
ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
Hostname: ACS1
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.3.0.40
Internal Build ID : B.839
I'm suspecting it a read/write issue with the database or a database corruption. Can anyone enlighten me on how to fix it please ?
I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
ACS1/admin# show application status acs
ACS role: PRIMARY
Process 'database' running
Process 'management' running
Process 'runtime' running
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running
MelDoes this happen to small number of network devices or the whole set
If the former then I found the following CDETS
CSCtw59271 Random Network Device corruption after upgrade from ACS 5.2 to 5.3
Which includes the following workaround
Symptom 1: Delete and re-add the AAA client
Symptom 2:Modify the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device.
>>>> Use case where TACACS+ was used
There are some important fixes related to upgrade issues in patch 5 and later for ACS 5.3. While these do not relate to NDs I do recommend installing this patch -
Not able to login to router using ssh when TACACS server is down
When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
kindly see below debug output and config
SSH server end:
Sep 1 13:25:10.161: SSH1: starting SSH control process
Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
Sep 1 13:25:10.397: SSH: RSA decrypt started
Sep 1 13:25:10.925: SSH: RSA decrypt finished
Sep 1 13:25:10.925: SSH: RSA decrypt started
Sep 1 13:25:11.165: SSH: RSA decrypt finished
Sep 1 13:25:11.197: SSH1: sending encryption confirmation
Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
Sep 1 13:25:11.269: SSH1: authentication request for userid rao
Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
Sep 1 13:25:17.317: SSH1: authentication successful for rao
Sep 1 13:25:17.413: SSH1: requesting TTY
Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
ngth 25, width 80
Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
Sep 1 13:25:17.525: SSH1: starting shell for vty
Sep 1 13:25:25.033: SSH1: Session terminated normally
SSH Client end Log:
% Authorization failed.
[Connection to 10.255.15.2 closed by foreign host]
COnfig:
aaa authentication login default group tacacs+ line local
aaa authentication login NO_AUTH line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip domain-name cbi.co.in
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
password xxxx
transport input telnet ssh
Kindly reply your viewsI believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
% Authorization failed.
I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
aaa authorization config-commands
I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
HTH
Rick -
Getting error about VLAN not existing on radio
When I try to enable the 5ghz radio on my AIR-AP1142N-A-K9 I get the following error:
VLAN '100' doesn't exist on 'Radio1-802.11N 5GHz' (see Services>VLAN)
In the vlan it is enabled. What gives?
Config below:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap-1140-southwing
logging rate-limit console 9
enable secret xxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa group server radius rad_eap
server 192.168.1.187 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
server 192.168.1.187 auth-port 1812 acct-port 1813
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
dot11 syslog
dot11 vlan-name 5gwifi vlan 300
dot11 vlan-name jchcenterprise vlan 130
dot11 vlan-name public vlan 100
dot11 ssid jchccorp
vlan 120
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 115A4A50461808040778797478
dot11 ssid jchcpublic
vlan 100
authentication open
mbssid guest-mode
username Cisco password 7 10640C1C15435C5B
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 120 mode ciphers aes-ccm tkip
encryption vlan 130 mode ciphers aes-ccm tkip
ssid jchccorp
ssid jchcpublic
antenna gain 0
mbssid
channel width 40-below
channel 2422
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
interface Dot11Radio0.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 subscriber-loop-control
bridge-group 120 block-unknown-source
no bridge-group 120 source-learning
no bridge-group 120 unicast-flooding
bridge-group 120 spanning-disabled
interface Dot11Radio0.130
encapsulation dot1Q 130
no ip route-cache
bridge-group 130
bridge-group 130 subscriber-loop-control
bridge-group 130 block-unknown-source
no bridge-group 130 source-learning
no bridge-group 130 unicast-flooding
bridge-group 130 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 120 mode ciphers aes-ccm tkip
encryption vlan 300 mode ciphers aes-ccm tkip
ssid jchccorp
antenna gain 0
dfs band 3 block
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel width 40-above
channel 5180
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
interface Dot11Radio1.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 subscriber-loop-control
bridge-group 120 block-unknown-source
no bridge-group 120 source-learning
no bridge-group 120 unicast-flooding
bridge-group 120 spanning-disabled
interface Dot11Radio1.300
encapsulation dot1Q 300
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
bridge-group 255 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
interface GigabitEthernet0.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
no bridge-group 120 source-learning
bridge-group 120 spanning-disabled
interface GigabitEthernet0.130
encapsulation dot1Q 130
no ip route-cache
bridge-group 130
no bridge-group 130 source-learning
bridge-group 130 spanning-disabled
interface GigabitEthernet0.300
encapsulation dot1Q 300
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
interface BVI1
ip address 192.168.1.195 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.35
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.187 auth-port 1812 acct-port 1813 key 7 002E161650155B
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
enddot11 ssid jchccorp
vlan 120
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 115A4A50461808040778797478
dot11 ssid jchcpublic
vlan 100
authentication open
mbssid guest-mode
You have 2 SSID's defined using vlan 120 and vlan 100, if you need another SSID, you need to define the vlan also. If you just want jchcorp on the 5ghz:
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 120 mode ciphers aes-ccm tkip
ssid jchccorp
interface Dot11Radio1.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
interface Dot11Radio1.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 subscriber-loop-control
bridge-group 120 block-unknown-source
no bridge-group 120 source-learning
no bridge-group 120 unicast-flooding
bridge-group 120 spanning-disabled
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
I have setup ACS 4.2 and when I run
router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
Both options work fine
But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
My commands are :-
tacacs-server host xx.xx.xx.xx single-connection port 49
tacacs-server key xxxxxxxxxxx
aaa authentication banner ^CUnauthorized access forbidden^C
aaa authentication username-prompt "Enter Username: "
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
I dont see the banner NOR the "Enter Username:" prompt.
Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
there was "shared secret does not match", on the AAA server logs
I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
seem to understand why it fails with telnet
Any idea why this may be happning ?
ThanksI tried both the sugestion.. no luck
Below are th eoutput of debug, with some lines in BOLD to help you
find interesting lines in the log output.
Thanks
fixeddemo#sh run | inc tacacs
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
ip tacacs source-interface FastEthernet0/1
tacacs-server host 10.1.7.15
tacacs-server key xxxxxxxxxx
fixeddemo#sh debugging
General OS:
TACACS+ events debugging is on
TACACS+ authentication debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Subsystem debugs debugging is on
fixeddemo#
Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:15:54.674: T+: user:
Jun 17 14:15:54.674: T+: port: tty515
Jun 17 14:15:54.674: T+: rem_addr: 10.1.1.216
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.674: T+: End Packet
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
fixeddemo#
Jun 17 14:15:54.674: T+: msg: Username:
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.678: T+: End Packet
Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo#
Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Jun 17 14:15:58.794: T+: User msg:
Jun 17 14:15:58.794: T+: User data:
Jun 17 14:15:58.794: T+: End Packet
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
fixeddemo#
Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Jun 17 14:15:58.798: T+: msg: Password:
Jun 17 14:15:58.798: T+: data:
Jun 17 14:15:58.798: T+: End Packet
Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
cation
Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
D
fixeddemo#
Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
Jun 17 14:16:02.502: T+: User msg:
Jun 17 14:16:02.502: T+: User data:
Jun 17 14:16:02.502: T+: End Packet
Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
6 bytes data)
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
fixeddemo#
Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
Jun 17 14:16:02.554: T+: msg:
Jun 17 14:16:02.554: T+: data:
Jun 17 14:16:02.554: T+: End Packet
Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
fixeddemo#
[ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:16:04.558: T+: user:
Jun 17 14:16:04.558: T+: port: tty515
Jun 17 14:16:04.558: T+: rem_addr: 10.1.1.216
Jun 17 14:16:04.558: T+: data:
Jun 17 14:16:04.558: T+: End Packet
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
43 bytes data)
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Jun 17 14:16:04.562: T+: msg: 0x0A User Access Verification 0x0A 0x0A Usernam
e:
fixeddemo#
Jun 17 14:16:04.562: T+: data:
Jun 17 14:16:04.562: T+: End Packet
Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo# -
"24427 Access to Active Directory failed" error in ACS 5.1
Hello,
I'm working on implementing a RADIUS authentication for wireless access with the following :
- PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
- AP 1252 configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
- ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
- AD domain running on Windows 2003 Server.
My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
All I can get running the expert troubleshoot
Investigating failure code: 24427 Access to Active Directory failed
Checking if Active Directory is configured
Active Directory is configured
Attempting connection to Active Directory
Connection to Active Directory was successful.
Troubleshooting completed.
Click on Show Results Summary to view results.
I followed this guide, at least for the ACS certificate section :
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
Anyone has an idea where the problem may come from?
Thanks in advance,
Vincenthey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
link
Problem: Error "24495 Active Directory servers are not available"
Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
Solution
Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information. -
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
Tacacs+ access issue with ASA firewall after integrating with RSA SecureID
Hi,
In my earlier post, I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
Did any one face similar issue with ASA access ?
Rgds
SiddheshHi Siddesh,
In order to help you here, I need to know few things:
1.] Show run | in aaa
2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
~BR
Jatin Katyal
**Do rate helpful posts** -
Tacacs do not function in Nexus 5000
Dear Mister
By someone reason, the Tacas is not functioning in my Nexus 5000. I am using the next configuration :
tacacs-server key 7 "0310551D121F2D595D"
ip tacacs source-interface Vlan5
tacacs-server host 10.20.2.80
tacacs-server host 10.20.16.138
aaa group server tacacs+ TACSERVER
server 10.20.2.80
server 10.20.16.138
source-interface Vlan5
use-vrf default
aaa authentication login default group TACSERVER
no aaa user default-role
aaa authentication login error-enable
tacacs-server directed-request
I did a telnet to port 49, in address , and is functioning. That discard a Security problem (FW, ACL, etc).
When I do the test, nothing is showed in the Tacacs Logs Server.
The log messages are the next:
2012 Aug 22 15:54:45 NITE1 %TACACS-3-TACACS_ERROR_MESSAGE: received bad authentication packet from 10.20.2.80
2012 Aug 22 15:54:45 NITE1 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2012 Aug 22 15:54:48 NITE1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user GPALAVE from 10.20.2.80 - login[3087]
The problem is very strange.
I need help.
Best regardsYou config looks fine. Can you ping from VLAN5 to TACACS+? Also, did you add VLAN5's IP address to your TACACS+.
Regards,
jerry
Maybe you are looking for
-
Major difficulties installing Windows 7/8.1
Firstly, I'd like to apologize for my not so perfect English, but nevertheless - here's my cry of help. Recently, I've had a "pleasure" of messing up my already installed Windows on my iMac (27-inch, Mid 2011) that has been installed for almost 2-3 y
-
Ever since upgrading to Leper, X11 won't start. If I open the console window, the following is logged repetitively, which looks like an invalid start command that is followed by command line help. Anybody know what I can do to fix this? Console outpu
-
Refresh Security from shared services fails.
Hello all, On our environment I went into shared services with admin rights and changed the native directory password. And from then on I have not been able to refresh the security of essbase server in EAS. I get the following error, Essbase failed t
-
Hello Everyone, I have been posting on here for a few weeks and have gotten some REALLY good help. I think I am down to my LAST issue (knocks on wood). Projects A, B and C Project A, works fine Project B, works fine Project C, publishes, then shows
-
I Cant hear on my phone.
I have a Treo 700. And I have already tried the, putting in, and out the earbud in the jack. That didnt work. When someone calls me I have to put it on speaker phone and listen through the back cause no saound comes through my ear piece. What could