TACACS+ issue
Hi, I am running a Cisco Acs server3.2 doing TACACS+ authentication, authorization and accouting. Now after I configure on the router connecting to ACS3.2 and the ACS3.2 as well. everything works fine. the only thing is that I can not see the Administration Report.
May I know what are the commands which enable the router to generate the Administration Report to the Acs server???
Hi, I am running a Cisco Acs server3.3 doing TACACS+ authentication, authorization and accouting.
do you know how configured the route about the authentication the router with the tacacs ??
please
Similar Messages
-
Trying to get ACE module and IOS devices to work with TACACS+. I have ACS v3.2.
The "optional" syntax does not work. Any idea if the argument is valid for the ACS version ?
service=exec
optional shell:Admin=Admin domain
Tried it with quotations but that didn't work either.Hi,
Here is a reference doc for configuring ACE for Tacacs+ authentication,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
0_A1/configuration/security/guide/aaa.html#wp1321891
Under custom attribute for Tacacs+ we need to specify attribute as,
shell:Admin*ADMIN MYDOMAIN1
= means mandatory attribute
* means optional
Information on context/role/domain (Virtualization on ACE):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
0_A1/configuration/virtualization/guide/ovrview.html
Default "role" on ACE:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
HTH
JK
Plz rate helpful posts- -
Dear All,
This is regarding Tacacs+. I have configured Tacacs+ on cisco switch, but it is taking local username and password
for authentication.
With below configuration on other switch, working fine with tacacs+ username and password, but not with
this switch.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_login local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host 10.0.2.193 key 7 110A101614425A5E57
tacacs-server directed-request
username admin privilege 15 password ****
line vty 0 4
transport input ssh telnet
login authentication default
Also this switch is configured for intervlan routing, with following configuration and I have added 10.0.6.1 IP address in Cisco ACS.
interface Vlan5
ip address 10.0.0.1 255.255.255.0
interface Vlan20
ip address 10.0.2.1 255.255.255.0
ip helper-address 10.0.0.7
interface Vlan60
ip address 10.0.6.1 255.255.255.0
REFLXIS_PUNCORE#show tacacs
Tacacs+ Server : 10.0.2.193/49
Socket opens: 33
Socket closes: 33
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 33
Total Packets Recv: 0
So please help on the same.Hello Abhisar,
the server IP address 10.0.2.193 is reachable via Vlan 20.
Therefore, the switch will try to establish the connection with the server using Vlan20's IP address, 10.0.2.1.
You can fix this in two ways:
1. change the configuration on Tacacs server to have an entry with 10.0.2.1 instead of 10.0.6.1.
or
2. change the configuration on the switch, adding "ip tacacs-server source-interface vlan 60"
Please rate the post if helpful
Marco -
Hello,
I have an issue with two wlc 5508 in the same mobility group. We use TACACS to authenticate admins, with maximum privileges.
When I want to configure cleanair, or some security functions (such as ACL, or password policies), I have an error message saying that my privileges are not enough.
When I use local account, it works well.
At the begining, I thought it was a TACACS issue, but I have the same problem with WCS and SNMP. Cleanair doesn't appears in config menu, and I have an error message for security function.
Do you have any idea ?
Thanks for your help.
FW : 7.0.116.0Show sysinfo results :
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS -
Tacacs+ access issue with ASA firewall after integrating with RSA SecureID
Hi,
In my earlier post, I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
Did any one face similar issue with ASA access ?
Rgds
SiddheshHi Siddesh,
In order to help you here, I need to know few things:
1.] Show run | in aaa
2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
~BR
Jatin Katyal
**Do rate helpful posts** -
Issue with Session slot after implement the tacacs+ on FWSM
Hi,
I am trying to implement tacacs+ on FWSM module using 4.1(10),
only facing issue when trying to connect from Switch (session slot)
(Command authorization failed) Rest of the things working fine
here is the output
Router#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
FWSM> en
Command authorization failed
Below is the configration done on FWSM
FWSM# sh run | in aaa
aaa-server NEW protocol tacacs+
aaa-server NEW host 10.70.20.1
aaa authentication enable console NEW LOCAL
aaa authentication ssh console NEW LOCAL
aaa authorization command NEW LOCAL
aaa accounting command NEW
Can anyone help me solve this issue
ThanksIssue has been solved after using this ...
aaa authentication telnet console NEW LOCAL
thanks -
3750 IOS 15.0(2)SE4 tacacs when issuing tacacs-server host X.X.X.X I receive "the cli will be deprecated soon" please advise
The syntax structure of the AAA commands for both Radius and TACACS+ are being changed with the newer code. Take a look at this link for some examples:
http://slaptijack.com/networking/new-style-tacacs-configuration/
Hope this helps!
Thank you for rating helpful posts! -
ACE ACS TACACS+ Key Mismatch issue
Goodday,
I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
We have confirmed that the key we are using is the same on the ACE and on the ACS.
The question I have is as follows:
Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
So config entered something like this:
tacacs-server host 10.10.10.10 key mysharedkey
aaa group server tacacs+ acs_pri
server 10.10.10.10
aaa authentication login default group acs_pri local none
BTW, we are running version 2.1.4(a).
Thanks for any assitance with this.
PaulHi Kevin,
Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
This is my concern.
We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
See my problem...
Thanks again for the assistance and any further guidance would be appreciated.
Paul. -
Having issues with AAA TACACS ACS
We are trying to get our WAVE's to utilize the ACS for TACACS authentication and are having issues.
We have followed the suggestions of many posts in the forum and also the guides, but are still not able to get it working. The group has been created on the Central manager and under the group for the ACS the following has been added:
shell:waas_rbac_groups*CoreWAAS
We have other items in there for authentication for ACE contexts as well as Nexus equipment. We used the same type of scheme. When a user attempts to authenticate and purposely types an incorrect pwd we get back a response the creds are not valid (which they aren't). If the user types in the correct creds we get a passed authentication entry in the ACS, yet we get no response back from the session it immediately disconnects. We have enable the Command authorization of 15 on the WAVE group but this has not had any changes.
Please advise,
JoeOk, cool,
So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
I would guess that the ACS is reporting unknown NAS...
Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
So I am trying to get TACACS+ auth to work for my ACE.
The command string that I have on the ACE is as follows:
tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
aaa group server tacacs+ tacacs+
server 172.16.101.4
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa accounting default group tacacs+ local
But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
I do not know how to do this on the ACS 5.1.0.44.
Anyone know?
TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
Thanks for your reply. About this question:
shell:<Context>*<Role> <Domain>
What I meant is that you need to check the following couple of things on
your ACS server in order to have AAA Tacacs users to login into the
ACE over the context with superuser ritghts.
Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
‑> enable Custom attributes ‑> right below this part you need to
use the following sintax to link the ACE context that this user
has access to.
For example:
shell:<Context>*<Role> <Domain>
shell:Admin*Admin default‑domain
Where this user will have access to the Admin context with the role
admin using the 'default‑domain'Wilfred,
What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
Thanks,
Tarik Admani -
Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs
to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.
Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
Darra -
TACACS Administration issue in Cisco ACS V4.1
Hi,
I am using Cisco Secure ACS V 4.1 for windows. When takingTACACS+ Administration report, report is not getting generated. I have come to know that this is a Bug in this version so as per the support forums they have suggested to update to ACS-4.1.1.23.Link which shows this is given below.
https://supportforums.cisco.com/message/2015469;jsessionid=E5E34B6AE1216E24188E4712050285DC.node0
For the same i have searched in cisco but this particular version is not present. enstead ACS 4.1.4.13 is present.
Please let me know if i update ACS 4.1.4.13 will it resolve this TACACS+ administration report issue. else provide me the remedy to fix this issue.
Thanks,
Krishna.Krishna,
That link does not have any full software listed, only patch are listed. This bug is fixed in ACS 4.1.1.23.5 accumulative patch which can be downloaded from that link.
Incase you want to upgrade ACS, you need to open a TAC case to get the full software.
Regards,
~JG
Do rate helpful posts -
PIX authorization issue with TACACS+
I have setup on a network
PIX firewall(ver 6.3(5).
aaa-server TACACS+ (inside) host 172.20.67.153 cisco123
aaa accounting telnet console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization commands TACACS+
I could able to login enable mode.
But Iam getting Comamnd Authorization failed. If iam trying config t, show run which are allowed in PIX/ASA command authorization set in TACACS+.Hi friend,
You could try the following:
1) See the configuration of the user authorization on the ACS. Maybe there's a mistake when giving plivileges to the disired user.
See these documents:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/prod_configuration_examples_list.html
2) Configure a local user and try to login wiht the local database. To do it, see the example bellow:
username admin password xxxxxxxx encrypted privilege 15
Hope it helps. If it does, please rate.
Regards,
Rafael Lanna -
I just installed a Cisco 5508 WLC on our network. I have the Management IP in the management VLAN and on the controller I set it up "untagged". WLC has two ports connected to a Cisco 4507 switch in the port-channel config.
I can ping the controller from the network fine, I can ping the TACACS server from the controller. I have the priority setup as "TACACS+, LOCAL". However when I try to log into the WLC and look at the debug it shows that I am Authenticating and that is about it, For some reason Authorization traffic is not passing. Using wireshark I have confirmed that the request is coming from the Management IP Interface.
I have followed the instructions from this link:
http://www.cisco.com/en/US/customer/docs/wireless/controller/5.0/configuration/guide/c5sol.html
Any ideas?Its running on Windows, Cisco Secure ACS 3.3
Here is the debug:
(Cisco Controller) >*aaaQueueReader: Nov 22 23:43:15.157: AuthenticationRequest: 0x2bc328e8
*aaaQueueReader: Nov 22 23:43:15.157: Callback.....................................0x108a6808
*aaaQueueReader: Nov 22 23:43:15.157: protocolType.................................0x00020030
*aaaQueueReader: Nov 22 23:43:15.157: proxyState...................................00:00:00:7E:00:00-00:00
*aaaQueueReader: Nov 22 23:43:15.157: Packet contains 5 AVPs (not shown)
*aaaQueueReader: Nov 22 23:43:15.157: Forwarding request to 10.10.10.10 port=49
*tplusTransportThread: Nov 22 23:43:16.315: 00000000: c0 01 02 00 0f b1 0a f4 .............`2.
*tplusTransportThread: Nov 22 23:43:16.315: 00000010: 16 28 0b e4 58 be bd 9f 9f f8 58 60 .(..X.....X`
*tplusTransportThread: Nov 22 23:43:16.315: tplus response: type=1 seq_no=2 session_id=0fb10af4 length=16 encrypted=0
*tplusTransportThread: Nov 22 23:43:16.315: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Nov 22 23:43:16.315: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Nov 22 23:43:16.315: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 22 23:43:16.353: 00000000: c0 01 04 00 0f b1 0a f4 .......... ............d...
*tplusTransportThread: Nov 22 23:43:16.353: 00000010: ac 51 .Q
*tplusTransportThread: Nov 22 23:43:16.353: tplus response: type=1 seq_no=4 session_id=0fb10af4 length=6 encrypted=0
*tplusTransportThread: Nov 22 23:43:16.353: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Nov 22 23:43:16.353: Forwarding request to 10.10.10.10 port=49
*tplusTransportThread: Nov 22 23:43:16.356: 00000000: c0 02 02 00 18 d3 91 67 00 00 00 06 cc e5 c2 af .......g........
*tplusTransportThread: Nov 22 23:43:16.356: 00000010: 32 69 2i
*tplusTransportThread: Nov 22 23:43:16.356: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 22 23:43:16.356:
User has the following mgmtRole 0
*tplusTransportThread: Nov 22 23:43:16.356: 00:00:00:7e:00:00 Returning AAA Success for mobile 00:00:00:7e:00:00
*tplusTransportThread: Nov 22 23:43:16.356: AuthorizationResponse: 0x2d2e5678
*tplusTransportThread: Nov 22 23:43:16.356: structureSize................................74
*tplusTransportThread: Nov 22 23:43:16.356: resultCode...................................0
*tplusTransportThread: Nov 22 23:43:16.356: protocolUsed.................................0x00000010
*tplusTransportThread: Nov 22 23:43:16.356: proxyState...................................00:00:00:7E:00:00-00:00
*tplusTransportThread: Nov 22 23:43:16.356: Packet contains 2 AVPs:
*tplusTransportThread: Nov 22 23:43:16.356: AVP[01] Service-Type.............................0x00000000 (0) (4 bytes)
*tplusTransportThread: Nov 22 23:43:16.356: AVP[02] Unknown Attribute 243....................0x00000001 (1) (4 bytes) -
Dear Cisco Guru's,
tacacs-server host 10.2.100.100
tacacs-server host 10.2.17.203
We have 2 tacacs+ servers defined in ACS 5.2. When putting 10.2.100.100 down, tacacs authentication continues to try to authenticate to the dead server,how is this possible ?
Normal behaviour should be going to the second (10.2.17.203) after the first Tacacs+ server timeout (default 5s).
Tacacs+ Server : 10.2.100.100/49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 85
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server : 10.2.17.203/49
Socket opens: 166
Socket closes: 166
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 195
Total Packets Recv: 195
Many thanks,
Lieven Stubbe
Belgian railwaysRichard, Kashif,
1) 10.2.100.100 is a dummy IP to be sure we have a correct test scenario :
tacacs-server host 10.2.100.100
tacacs-server host 10.2.17.203
2) We have defined 2 testswitches with this config :
C3560 (12.2(53))
C3750 (12.2(55))
with our 3560, it hits the timeout counter of 5s of the dead tacacs server, once logged in, all other tacacs commands are treated by 10.2.17.203
Failed connect attemps raises by 1
with our 3750, with each tacacs command, it hits the timeout counter of 5s of the dead tacacs server everytime, before going to the 10.2.17.203, so all commands are executed but each time with a timeout delay of 5s.
Failed connect attemps raises by number of tacacs commands typed
Many thanks,
Lieven Stubbe
Belgian Railways
Maybe you are looking for
-
Using USB Microphone With GarageBand iPad?
Hi, I have the Samson G-Track USB Microphone and have been using it with GarageBand for iPad (with a powered USB hub) and I was wondering if there is a way to enable "Monitor" so that when I speak into the microphone I can hear myself in the headphon
-
i m using window vista32 after itunes upgrade.. itunes crash .. Problem signature: Problem Event Name: APPCRASH Application Name: iTunes.exe Application Version: 11.1.4.62 Application Timestamp: 52ddbf7a
-
Predefined user accounts on a new server
Hi, i'd like to know how can i "copy" an existing users definition (/etc/passwd and /home) from a production server to a new test server in such a way that user's passwords remain as now. We are using shadow passwords... thanks!!
-
The usb cable won't stay in my m515
It won't stay in tight enough to charge the device. Is there some way I can make it tighter or do I have to get a new cable? Also how do I access the user manual. It says it's in the software, but I can't find it. Post relates to: Palm m515
-
I have just got a skype number in the USA.Im not to sure how it works.? Can any one from the USA call me,even though they are not on Skpye