TACACs error

Similar Messages

• Not able to ssh to standby GSS

  Hi Experts,
  I am not able to ssh to standby GSS. It is configured for tacacs... I am able to ssh to primary without any issues.
  skdc-gss-int#gss status
  TACACS error. Attempting local authorization ...
  Cisco GSS - 3.1(0) GSSM - standby [Tue May 26 12:37:25 UTC 2009]
  Registered to primary GSSM: 10.71.250.130
  Normal Operation [runmode = 5]
  START SERVER
  May02 Boomerang
  May02 Config Agent (crdirector)
  May02 Config Server (crm)
  May02 DNS Server
  May02 Database
  May02 GUI Server (tomcat)
  May02 Keepalive Engine
  May02 Node Manager
  May02 Proximity
  May02 Sticky
  May02 Web Server (apache)
  May02 drp
  skdc-gss-int#
  skdc-gss-int#sh tacacs
  TACACS error. Attempting local authorization ...
  Current tacacs server configuration
  tacacs-server timeout 60
  tacacs-server keepalive-enable
  tacacs-server host x.x.x.x port 49 key j1b0ia
  tacacs-server host y.y.y.y port 49 key j1b0ia
  aaa authentication ssh local
  aaa authentication gui local
  aaa authorization commands
  aaa accounting commands
  skdc-gss-int#
  skdc-gss-int#sh users
  TACACS error. Attempting local authorization ...
  Username permission
  admin admin
  skdc-gss-int#

  I'm facing the same issue...
  How did you solve the problem?

• Attaching a JOptionFrame to an Applet

  Is it possible to attach a JOptionPane to an applet? If so how can this be done?
  Thanks.

  I already have Null in but it still does not seem to work. Bellow I have giving an example of what my JOptionPane looks like.
  Any other suggestions?
  Code:
  JOptionPane.showMessageDialog(null, "The remote password has expired! Contact System Administrator to re-activate account", "Tacacs+ Error", JOptionPane.WARNING_MESSAGE);

• TACACS socket errors

  Hi Expert,
  I have two switches, one of switch has problem when I issue TACACS configuration. I have two servers and be able to ping success to the server. I'm doubt when i read description in Cisco docs. Please help to identify the cause. Thanks and appreciate for help.
  switch02#test aaa group tacacs+ btela77 Aug2011b legacy
  % Authorization failed.
  I issue show tacacs found socket error:
  switcho02#show tacacs
  Tacacs+ Server     : 10.52.0.158/49
  Socket opens:      4
  Socket closes:     4
  Socket aborts:     0
  Socket errors:      4
  Socket timeout:    0
  Failed Connect Attempts:     0
  Total Packets Sent:              4
  Total Packets Recv:              4
  Tacacs+ Server     : 10.51.65.94/49
  Socket opens:      3
  Socket closes:     3
  Socket aborts:     0
  Socket errors:      0
  Socket timeout:    0
  Failed Connect Attempts:     0
  Total Packets Sent:               0
  Total Packets Recv:              0

  Hi Rick,
  The output from debug shown as below
  Oct 20 06:26:16.889 GMT: TAC+: decrypt: pak is unencrypted but we have a key
  Oct 20 06:26:16.889 GMT: TPLUS(0000005B): Decryption failed for AAA request
  Oct 20 06:26:16.889 GMT: TPLUS(0000005B)/0/5F9E820: Processing the reply packet
  Oct 20 06:26:16.889 GMT: TPLUS: Received Authen status error
  Oct 20 06:26:16.897 GMT: TPLUS(0000005B)/0/REQ_WAIT/5F9E820: timed out
  Oct 20 06:26:22.350 GMT: TPLUS(0000005B)/0/READ: read entire 18 bytes response
  Oct 20 06:26:22.350 GMT: TAC+: decrypt: pak is unencrypted but we have a key
  Oct 20 06:26:22.350 GMT: TPLUS(0000005B): Decryption failed for AAA request
  Oct 20 06:26:22.350 GMT: TPLUS(0000005B)/0/5AAF32C: Processing the reply packet
  Oct 20 06:26:22.350 GMT: TPLUS: received authorization response for 91: FAIL
  Oct 20 06:26:22.350 GMT: AAA/AUTHOR/EXEC(0000005B): Authorization FAILED
  The cause of error could be share-key mismatch between switch and TACACS server?
  Full debug output in attach. Thanks

• Per-VRF TACACS config gets "Address already in use" error

  I have created a per-VRF TACACS config on a couple of network devices. I can ping the ACS servers through the VRF. TACACS makes the attempt to contact the servers, but the following message shows up in the log when I debug TACACS:
  *Mar 11 08:57:38 starts: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
  *Mar 11 08:57:38 starts: TAC+: TCP/IP open to x.x.x.x/49 failed -- Address already in use
  I can't find anything on CCO that references the "Address already in use" message.
  Has anyone run into this?

  Hmmm...no, the server group is still there. Did you see the other post which describes the bug ID? The link to the bug is:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl45701
  Do you get the IP address is in use log message?

• Tacacs+ authentication errors

  I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?

  Here is the config I have on the switch. (sorry should have sent this already).
  aaa new-model
  aaa authentication login default group tacacs+ none
  aaa authentication login no_aaa none
  aaa authorization exec default group tacacs+ none
  aaa authorization exec no_aaa none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none
  aaa authorization commands 15 no_aaa none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  interface VLAN1
  ip address 10.200.1.16 255.255.255.0
  no ip directed-broadcast
  no ip route-cache
  ip tacacs source-interface VLAN1
  tacacs-server host 10.200.35.250
  tacacs-server key cisco
  line con 0
  authorization commands 15 no_aaa
  authorization exec no_aaa
  login authentication no_aaa
  transport input none
  stopbits 1
  line vty 5 15

• ACS 5.3 - Error when changing Device group or Location

  I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
  This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
  it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ACS1
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40
  Internal Build ID : B.839
  I'm suspecting it a read/write issue with the database or a database corruption. Can anyone enlighten me on how to fix it please ?
  I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
  ACS1/admin# show application status acs
  ACS role: PRIMARY
  Process 'database'                  running
  Process 'management'                running
  Process 'runtime'                   running
  Process 'view-database'             running
  Process 'view-jobmanager'           running
  Process 'view-alertmanager'         running
  Process 'view-collector'            running
  Process 'view-logprocessor'         running
  Mel

  Does this happen to small number of network devices or the whole set
  If the former then I found the following CDETS
  CSCtw59271    Random Network Device corruption after upgrade from ACS 5.2 to 5.3
  Which includes the following workaround
  Symptom 1: Delete and re-add the AAA client
  Symptom 2:Modify the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device.
  >>>> Use case where TACACS+ was used
  There are some important fixes related to upgrade issues in patch 5 and later for ACS 5.3. While these do not relate to NDs I do recommend installing this patch

• Not able to login to router using ssh when TACACS server is down

  When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
  kindly see below debug output and config
  SSH server end:
  Sep 1 13:25:10.161: SSH1: starting SSH control process
  Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
  Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
  Sep 1 13:25:10.397: SSH: RSA decrypt started
  Sep 1 13:25:10.925: SSH: RSA decrypt finished
  Sep 1 13:25:10.925: SSH: RSA decrypt started
  Sep 1 13:25:11.165: SSH: RSA decrypt finished
  Sep 1 13:25:11.197: SSH1: sending encryption confirmation
  Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
  Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
  Sep 1 13:25:11.269: SSH1: authentication request for userid rao
  Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
  Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
  Sep 1 13:25:17.317: SSH1: authentication successful for rao
  Sep 1 13:25:17.413: SSH1: requesting TTY
  Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
  ngth 25, width 80
  Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
  Sep 1 13:25:17.525: SSH1: starting shell for vty
  Sep 1 13:25:25.033: SSH1: Session terminated normally
  SSH Client end Log:
  % Authorization failed.
  [Connection to 10.255.15.2 closed by foreign host]
  COnfig:
  aaa authentication login default group tacacs+ line local
  aaa authentication login NO_AUTH line
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization configuration default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  ip domain-name cbi.co.in
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  line vty 0 4
  password xxxx
  transport input telnet ssh
  Kindly reply your views

  I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
  % Authorization failed.
  I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
  aaa authorization config-commands
  I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
  HTH
  Rick

• Getting error about VLAN not existing on radio

  When I try to enable the 5ghz radio on my AIR-AP1142N-A-K9 I get the following error:
  VLAN '100' doesn't exist on 'Radio1-802.11N 5GHz' (see Services>VLAN)
  In the vlan it is enabled.  What gives?
  Config below:
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap-1140-southwing
  logging rate-limit console 9
  enable secret xxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server radius rad_eap
  server 192.168.1.187 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  server 192.168.1.187 auth-port 1812 acct-port 1813
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone CST -6
  clock summer-time CDT recurring
  dot11 syslog
  dot11 vlan-name 5gwifi vlan 300
  dot11 vlan-name jchcenterprise vlan 130
  dot11 vlan-name public vlan 100
  dot11 ssid jchccorp
     vlan 120
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 115A4A50461808040778797478
  dot11 ssid jchcpublic
     vlan 100
     authentication open
     mbssid guest-mode
  username Cisco password 7 10640C1C15435C5B
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 120 mode ciphers aes-ccm tkip
  encryption vlan 130 mode ciphers aes-ccm tkip
  ssid jchccorp
  ssid jchcpublic
  antenna gain 0
  mbssid
  channel width 40-below
  channel 2422
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.100
  encapsulation dot1Q 100
  no ip route-cache
  bridge-group 100
  bridge-group 100 subscriber-loop-control
  bridge-group 100 block-unknown-source
  no bridge-group 100 source-learning
  no bridge-group 100 unicast-flooding
  bridge-group 100 spanning-disabled
  interface Dot11Radio0.120
  encapsulation dot1Q 120
  no ip route-cache
  bridge-group 120
  bridge-group 120 subscriber-loop-control
  bridge-group 120 block-unknown-source
  no bridge-group 120 source-learning
  no bridge-group 120 unicast-flooding
  bridge-group 120 spanning-disabled
  interface Dot11Radio0.130
  encapsulation dot1Q 130
  no ip route-cache
  bridge-group 130
  bridge-group 130 subscriber-loop-control
  bridge-group 130 block-unknown-source
  no bridge-group 130 source-learning
  no bridge-group 130 unicast-flooding
  bridge-group 130 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption vlan 120 mode ciphers aes-ccm tkip
  encryption vlan 300 mode ciphers aes-ccm tkip
  ssid jchccorp
  antenna gain 0
  dfs band 3 block
  mbssid
  speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
  channel width 40-above
  channel 5180
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.100
  encapsulation dot1Q 100
  no ip route-cache
  bridge-group 100
  bridge-group 100 subscriber-loop-control
  bridge-group 100 block-unknown-source
  no bridge-group 100 source-learning
  no bridge-group 100 unicast-flooding
  bridge-group 100 spanning-disabled
  interface Dot11Radio1.120
  encapsulation dot1Q 120
  no ip route-cache
  bridge-group 120
  bridge-group 120 subscriber-loop-control
  bridge-group 120 block-unknown-source
  no bridge-group 120 source-learning
  no bridge-group 120 unicast-flooding
  bridge-group 120 spanning-disabled
  interface Dot11Radio1.300
  encapsulation dot1Q 300
  no ip route-cache
  bridge-group 255
  bridge-group 255 subscriber-loop-control
  bridge-group 255 block-unknown-source
  no bridge-group 255 source-learning
  no bridge-group 255 unicast-flooding
  bridge-group 255 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.100
  encapsulation dot1Q 100
  no ip route-cache
  bridge-group 100
  no bridge-group 100 source-learning
  bridge-group 100 spanning-disabled
  interface GigabitEthernet0.120
  encapsulation dot1Q 120
  no ip route-cache
  bridge-group 120
  no bridge-group 120 source-learning
  bridge-group 120 spanning-disabled
  interface GigabitEthernet0.130
  encapsulation dot1Q 130
  no ip route-cache
  bridge-group 130
  no bridge-group 130 source-learning
  bridge-group 130 spanning-disabled
  interface GigabitEthernet0.300
  encapsulation dot1Q 300
  no ip route-cache
  bridge-group 255
  no bridge-group 255 source-learning
  bridge-group 255 spanning-disabled
  interface BVI1
  ip address 192.168.1.195 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.1.35
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.1.187 auth-port 1812 acct-port 1813 key 7 002E161650155B
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

  dot11 ssid jchccorp
     vlan 120
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 115A4A50461808040778797478
  dot11 ssid jchcpublic
     vlan 100
     authentication open
     mbssid guest-mode
  You have 2 SSID's defined using vlan 120 and vlan 100, if you need another SSID, you need to define the vlan also.  If you just want jchcorp on the 5ghz:
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption vlan 120 mode ciphers aes-ccm tkip
  ssid jchccorp
  interface Dot11Radio1.100
  encapsulation dot1Q 100
  no ip route-cache
  bridge-group 100
  bridge-group 100 subscriber-loop-control
  bridge-group 100 block-unknown-source
  no bridge-group 100 source-learning
  no bridge-group 100 unicast-flooding
  bridge-group 100 spanning-disabled
  interface Dot11Radio1.120
  encapsulation dot1Q 120
  no ip route-cache
  bridge-group 120
  bridge-group 120 subscriber-loop-control
  bridge-group 120 block-unknown-source
  no bridge-group 120 source-learning
  no bridge-group 120 unicast-flooding
  bridge-group 120 spanning-disabled
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Acs 4.2 :- router# test aaa group tacacs+ uid pwd .... works but not when authenticating

  I have setup ACS 4.2 and when I run
  router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
                 Both options work fine
  But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
  My commands are :-
  tacacs-server host xx.xx.xx.xx single-connection port 49
  tacacs-server key xxxxxxxxxxx
  aaa authentication banner ^CUnauthorized access forbidden^C
  aaa authentication username-prompt "Enter Username: "
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  I dont see the banner NOR the "Enter Username:" prompt.
  Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
  I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
  there was "shared secret does not match", on the AAA server logs
  I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
  seem to understand why it fails with telnet
  Any idea why this may be happning ?
  Thanks

  I tried both the sugestion.. no luck
  Below are th eoutput of debug, with some lines in BOLD to help you
  find interesting lines in the log output.
  Thanks
  fixeddemo#sh run | inc tacacs
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  ip tacacs source-interface FastEthernet0/1
  tacacs-server host 10.1.7.15
  tacacs-server key xxxxxxxxxx
  fixeddemo#sh debugging
  General OS:
    TACACS+ events debugging is on
    TACACS+ authentication debugging is on
    TACACS+ packets debugging is on
    AAA Authentication debugging is on
    AAA Subsystem debugs debugging is on
  fixeddemo#
  Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
  Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
  Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
  Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
  Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
  Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
  Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
  Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
  Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
  Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
  ) data_len:0
  Jun 17 14:15:54.674: T+: user:
  Jun 17 14:15:54.674: T+: port:  tty515
  Jun 17 14:15:54.674: T+: rem_addr:  10.1.1.216
  Jun 17 14:15:54.674: T+: data:
  Jun 17 14:15:54.674: T+: End Packet
  Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  16 bytes data)
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
  Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
  Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  fixeddemo#
  Jun 17 14:15:54.674: T+: msg:  Username:
  Jun 17 14:15:54.674: T+: data:
  Jun 17 14:15:54.678: T+: End Packet
  Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
  Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
  Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
  on
  Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
  fixeddemo#
  Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
  Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
  Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
  Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
  Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
  Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
  Jun 17 14:15:58.794: T+: User msg:
  Jun 17 14:15:58.794: T+: User data:
  Jun 17 14:15:58.794: T+: End Packet
  Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  16 bytes data)
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
  Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
  fixeddemo#
  Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Jun 17 14:15:58.798: T+: msg:  Password:
  Jun 17 14:15:58.798: T+: data:
  Jun 17 14:15:58.798: T+: End Packet
  Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
  Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
  Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
  cation
  Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
  D
  fixeddemo#
  Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
  Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
  Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
  Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
  Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
  Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
  Jun 17 14:16:02.502: T+: User msg:
  Jun 17 14:16:02.502: T+: User data:
  Jun 17 14:16:02.502: T+: End Packet
  Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  6 bytes data)
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
  Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
  fixeddemo#
  Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
  Jun 17 14:16:02.554: T+: msg:
  Jun 17 14:16:02.554: T+: data:
  Jun 17 14:16:02.554: T+: End Packet
  Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
  Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
  Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
  Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
  fixeddemo#
  [ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
  Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
  Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
  Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
  g
  Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
  Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
  Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
  Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
  Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
  Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
  Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
  ) data_len:0
  Jun 17 14:16:04.558: T+: user:
  Jun 17 14:16:04.558: T+: port:  tty515
  Jun 17 14:16:04.558: T+: rem_addr:  10.1.1.216
  Jun 17 14:16:04.558: T+: data:
  Jun 17 14:16:04.558: T+: End Packet
  Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
  Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
  43 bytes data)
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
  Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
  Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
  Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Jun 17 14:16:04.562: T+: msg:   0x0A User Access Verification 0x0A  0x0A Usernam
  e:
  fixeddemo#
  Jun 17 14:16:04.562: T+: data:
  Jun 17 14:16:04.562: T+: End Packet
  Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
  Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
  Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
  on
  Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
  fixeddemo#

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Tacacs+ access issue with ASA firewall after integrating with RSA SecureID

  Hi,
  In my earlier post,  I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
  Did any one face similar issue with ASA access ?
  Rgds
  Siddhesh

  Hi Siddesh,
  In order to help you here, I need to know few things:
  1.] Show run | in aaa
  2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
  3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Tacacs do not function in Nexus 5000

  Dear Mister
  By someone reason, the Tacas is not functioning in my Nexus 5000. I am using the next configuration :
  tacacs-server key 7 "0310551D121F2D595D"
  ip tacacs source-interface Vlan5
  tacacs-server host 10.20.2.80
  tacacs-server host 10.20.16.138
  aaa group server tacacs+ TACSERVER
      server 10.20.2.80
      server 10.20.16.138
      source-interface Vlan5
      use-vrf default
  aaa authentication login default group TACSERVER
  no aaa user default-role
  aaa authentication login error-enable
  tacacs-server directed-request
  I did a telnet to port 49, in address , and is functioning. That discard a Security problem (FW, ACL, etc).
  When I do the test, nothing is showed in the Tacacs Logs Server.
  The log messages are the next:
  2012 Aug 22 15:54:45 NITE1 %TACACS-3-TACACS_ERROR_MESSAGE: received bad authentication packet from 10.20.2.80
  2012 Aug 22 15:54:45 NITE1 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
  2012 Aug 22 15:54:48 NITE1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user GPALAVE from 10.20.2.80 - login[3087]
  The problem is very strange.
  I need help.
  Best regards

  You config looks fine. Can you ping from VLAN5 to TACACS+? Also, did you add VLAN5's IP address to your TACACS+.
  Regards,
  jerry