TACACS not working
Hi Guys
I have added a 2960x switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server and I can ping the server as it also authenticates other devices on the network but this new switch only lets me login with local credentials. I have added the switch to ACS aswell
When i tried "test aaa group tacacs username password" Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server."
My config on the switch is:
aaa group server tacacs+ ACS1
server 10.10.10.10
aaa authentication login default group ACS1 local
aaa authentication enable default group ACS1 enable
aaa authorization config-commands
aaa authorization exec default group ACS1 if-authenticated
aaa authorization commands 1 default group ACS1 if-authenticated
aaa authorization commands 15 default group ACS1 if-authenticated
aaa accounting update newinfo
aaa accounting commands 1 default start-stop broadcast group ACS1
aaa accounting commands 15 default start-stop broadcast group ACS1
tacacs-server host 10.10.10.10
tacacs-server key 12345678
Thanks
Thanks Reza
After some investigation it seemed the issue is with the tacacs-server host 10.10.10.10 command. I realised upon entering this command the cli accepted it but gave a warning message
"Warning: The cli will be deprecated soon
'tacacs-server host acs-1 key 0 <my-key>'
Please move to 'tacacs server <name>' CLI"
Apparently cisco have made a few changes to the config. The tacacs-server ACS1 commands didnt work.
So I entered tacacs-server host 10.10.10.10 key 12345678
That worked.
Thanks
Similar Messages
-
Tacacs not working for 3 new 5508 WLC's...working fine for 6 old 4400 WLC's.
before 7.116 code upgrade...I remember 5508 was working on and off and now they are not.
Same configs on SW, WLC and ACS.
Debug on WLC gives..below message when Tacacs is attempted..
*aaaQueueReader: Oct 25 09:20:41.700: tplus_processAuthRequest: memory alloc failed for tplus
Any pointers for troubleshooting? Not sure why statistics show zero...?? Radius is working for users.
(wlc03) >show tacacs auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 10.3.121.21
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Server Index..................................... 2
--More-- or (q)uit
Server Address................................... 10.3.121.22
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
(wlc03) >show tacacs summary
Authentication Servers
Idx Server Address Port State Tout
1 10.3.121.21 49 Enabled 5
2 10.3.121.22 49 Enabled 5
Authorization Servers
Idx Server Address Port State Tout
1 10.3.121.21 49 Enabled 30
2 10.3.121.22 49 Enabled 5
Accounting Servers
Idx Server Address Port State Tout
1 10.3.121.21 49 Enabled 5
We can ping the TACACS servers...>show memory statistics
System Memory Statistics:
Total System Memory............: 1028820992 bytes
Used System Memory.............: 458424320 bytes
Free System Memory.............: 570396672 bytes
Bytes allocated from RTOS......: 21939008 bytes
Chunks Free....................: 29 bytes
Number of mmapped regions......: 45
Total space in mmapped regions.: 212779008 bytes
Total allocated space..........: 12015112 bytes
Total non-inuse space..........: 9923896 bytes
Top-most releasable space......: 133800 bytes
Total allocated (incl mmap)....: 234718016 bytes
Total used (incl mmap).........: 224794120 bytes
Total free (incl mmap).........: 9923896 bytes
show buffers
Pool[00]: 16 byte chunks
chunks in pool: 50000
chunks in use: 19030
bytes in use: 304480
bytes requested: 90479 (214001 overhead bytes)
Pool[01]: 64 byte chunks
chunks in pool: 40000
chunks in use: 14519
bytes in use: 929216
bytes requested: 566395 (362821 overhead bytes)
Pool[02]: 128 byte chunks
chunks in pool: 20000
chunks in use: 7726
bytes in use: 988928
bytes requested: 672853 (316075 overhead bytes)
Pool[03]: 256 byte chunks
chunks in pool: 4000
chunks in use: 808
bytes in use: 206848
bytes requested: 154777 (52071 overhead bytes)
Pool[04]: 1024 byte chunks
--More-- or (q)uit
chunks in pool: 15300
chunks in use: 11645
bytes in use: 11924480
bytes requested: 4945714 (6978766 overhead bytes)
Pool[05]: 2048 byte chunks
chunks in pool: 1000
chunks in use: 189
bytes in use: 387072
bytes requested: 355272 (31800 overhead bytes)
Pool[06]: 4096 byte chunks
chunks in pool: 1000
chunks in use: 36
bytes in use: 147456
bytes requested: 102479 (44977 overhead bytes)
Raw Pool:
chunks in use: 186
bytes requested: 156052303
show process memory
Name Priority BytesInUse BlocksInUse Reaper
cslStoreManager (240/ 7) 0 0 ( 0/ 0)%
System Reset Task (240/ 7) 0 0 ( 0/ 0)%
reaperWatcher ( 3/ 96) 0 0 ( 0/ 0)% I
osapiReaper ( 10/ 94) 0 0 ( 0/ 0)% I
TempStatus (240/ 7) 424 1 ( 0/ 0)% I
pktDebugSocketTask (255/ 1) 0 0 ( 0/ 0)%
LICENSE AGENT (240/ 7) 2228 85 ( 0/ 0)% I
emWeb ( 7/ 95) 1235795 20743 ( 0/ 0)% T 300
webJavaTask (240/ 7) 0 0 ( 0/ 0)%
fmcHsTask (100/ 60) 0 0 ( 0/ 0)%
apstatEngineTask (240/ 7) 0 0 ( 0/ 0)%
rrcEngineTask (240/ 7) 0 0 ( 0/ 0)%
spectrumDataTask (255/ 1) 1614480 12 ( 0/ 0)%
spectrumNMSPTask (255/ 1) 28808 3 ( 0/ 0)%
wipsTask (240/ 7) 0 0 ( 0/ 0)%
tsmTask (255/ 1) 0 0 ( 0/ 0)%
cids-cl Task (240/ 7) 0 0 ( 0/ 0)%
ethoipSocketTask ( 7/ 95) 0 0 ( 0/ 0)%
ethoipOsapiMsgRcv (240/ 7) 0 0 ( 0/ 0)%
--More-- or (q)uit
envCtrollerStatus (240/ 7) 0 0 ( 0/ 0)%
rfidTask (240/ 7) 0 0 ( 0/ 0)%
idsTrackEventTask (239/ 8) 0 0 ( 0/ 0)%
DHCP Server (240/ 7) 0 0 ( 0/ 0)%
bcastReceiveTask (240/ 7) 0 0 ( 0/ 0)%
ProcessLoggingTask (240/ 7) 0 0 ( 0/ 0)%
CDP Main (240/ 7) 3100 13 ( 0/ 0)%
sntpMainTask (240/ 7) 0 0 ( 0/ 0)%
sntpReceiveTask (240/ 7) 0 0 ( 0/ 0)%
cdpSocketTask (240/ 7) 0 0 ( 0/ 0)%
grouping Task (255/ 1) 0 0 ( 0/ 0)%
dot11a (255/ 1) 63 3 ( 0/ 0)%
rrm Socket Task ( 1/ 97) 35024 1 ( 0/ 0)%
rrm Socket Task (255/ 1) 35024 1 ( 0/ 0)%
dot11a (255/ 1) 0 0 ( 0/ 0)%
grouping Task (255/ 1) 0 0 ( 0/ 0)%
dot11b (255/ 1) 105 5 ( 0/ 0)%
rrm Socket Task (255/ 1) 35024 1 ( 0/ 0)%
dot11b (255/ 1) 0 0 ( 0/ 0)%
rrm Socket Task (255/ 1) 35024 1 ( 0/ 0)%
apfPmkCacheTimer (240/ 7) 0 0 ( 0/ 0)%
Apf Guest (240/ 7) 0 0 ( 0/ 0)%
RLDP Schedule Task (240/ 7) 0 0 ( 0/ 0)%
--More-- or (q)uit
apfMsConnTask_5 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_4 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_6 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_7 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_3 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_2 (175/ 32) 0 0 ( 0/ 0)%
apfLbsTask (240/ 7) 0 0 ( 0/ 0)%
apfMsConnTask_0 (175/ 32) 0 0 ( 0/ 0)%
apfMsConnTask_1 (175/ 32) 0 0 ( 0/ 0)%
apfProbeThread (200/ 22) 0 0 ( 0/ 0)%
apfOrphanSocketTas (240/ 7) 0 0 ( 0/ 0)%
apfRogueDetectorTh (175/ 32) 0 0 ( 0/ 0)%
apfRogueTask (240/ 7) 0 0 ( 0/ 0)%
apfOpenDtlSocket (175/ 32) 0 0 ( 0/ 0)%
apfRLDP (175/ 32) 424 1 ( 0/ 0)%
apfRLDPRecv (175/ 32) 0 0 ( 0/ 0)%
apfReceiveTask (175/ 32) 0 0 ( 0/ 0)%
mmMfpTask (175/ 32) 0 0 ( 0/ 0)%
mmMobility (240/ 7) 1272 3 ( 0/ 0)%
mmSSHPeerRegister (240/ 7) 0 0 ( 0/ 0)%
mmListen (180/ 30) 99920 227 ( 0/ 0)%
tplusTransportThre (201/ 22) 0 0 ( 0/ 0)%
radiusCoASupportTr (201/ 22) 0 0 ( 0/ 0)%
--More-- or (q)uit
EAP Framework (240/ 7) 0 0 ( 0/ 0)%
aaaQueueReader (225/ 13) 3518 12 ( 0/ 0)%
radiusRFC3576Trans (201/ 22) 0 0 ( 0/ 0)%
radiusTransportThr (201/ 22) 0 0 ( 0/ 0)%
pemReceiveTask (240/ 7) 0 0 ( 0/ 0)%
iappSocketTask (240/ 7) 0 0 ( 0/ 0)%
ccxRmTask (230/ 11) 0 0 ( 0/ 0)%
ccxS69Task (240/ 7) 424 1 ( 0/ 0)%
ccxDiagTask (240/ 7) 0 0 ( 0/ 0)%
ccxL2RoamTask (240/ 7) 240424 3 ( 0/ 0)%
dot1xSocketTask (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_7 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_6 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_2 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_3 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_4 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_5 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_1 (240/ 7) 0 0 ( 0/ 0)%
Dot1x_NW_MsgTask_0 (240/ 7) 424 1 ( 0/ 0)%
dot1xMsgTask (240/ 7) 0 0 ( 0/ 0)%
locpTxServerTask (220/ 15) 408 2 ( 0/ 0)%
locpRxServerTask (200/ 22) 428043 1961 ( 0/ 0)%
capwapSocketTask ( 72/ 70) 303104 148 ( 0/ 0)%
--More-- or (q)uit
spamApTask6 (118/ 53) 25929 63 ( 0/ 0)%
spamApTask7 ( 53/ 78) 24233 59 ( 0/ 0)%
spamApTask5 (118/ 53) 23445 61 ( 0/ 0)%
spamApTask4 (118/ 53) 23513 58 ( 0/ 0)%
spamApTask3 (118/ 53) 19569 48 ( 0/ 0)%
spamApTask2 ( 53/ 78) 23809 58 ( 0/ 0)%
spamApTask1 ( 53/ 78) 22961 56 ( 0/ 0)%
spamApTask0 ( 78/ 68) 39189 106 ( 0/ 0)%
spamReceiveTask (120/ 52) 2204024 252 ( 0/ 0)%
spamSocketTask ( 32/ 85) 0 0 ( 0/ 0)%
Image License brok (240/ 7) 0 0 ( 0/ 0)% I
Image License brok (240/ 7) 28 1 ( 0/ 0)% I
IPC Main Thread (240/ 7) 0 0 ( 0/ 0)% I
License Client Lib (240/ 7) 96 1 ( 0/ 0)% I
sshpmLscScepTask (100/ 60) 0 0 ( 0/ 0)%
License Client Lib (240/ 7) 96 1 ( 0/ 0)% I
sshpmLscTask (100/ 60) 25783 1739 ( 0/ 0)%
sshpmReceiveTask (175/ 32) 6697 66 ( 0/ 0)%
sshpmMainTask (100/ 60) 208440 358 ( 0/ 0)%
mfpKeyRefreshTask (255/ 1) 0 0 ( 0/ 0)%
mfpEventTask (255/ 1) 0 0 ( 0/ 0)%
mfpTrapForwardTask (255/ 1) 0 0 ( 0/ 0)%
clientTroubleShoot (100/ 60) 2841248 4 ( 0/ 0)%
--More-- or (q)uit
loggerMainTask (200/ 22) 0 0 ( 0/ 0)%
debugMainTask (200/ 22) 0 0 ( 0/ 0)%
dot3ad_lac_task (240/ 7) 32901 3 ( 0/ 0)%
gccp_t (240/ 7) 5864 5 ( 0/ 0)%
dot1dTimer (240/ 7) 0 0 ( 0/ 0)% T 300
dot1dRecv (250/ 3) 0 0 ( 0/ 0)%
uart_session (240/ 7) 0 0 ( 0/ 0)%
StatsTask (240/ 7) 0 0 ( 0/ 0)%
fdbTask (240/ 7) 0 0 ( 0/ 0)%
broffu_SocketRecei (100/ 60) 13 1 ( 0/ 0)%
SNMPProcMon (240/ 7) 0 0 ( 0/ 0)% T 300
RMONTask ( 71/ 71) 0 0 ( 0/ 0)% I
SNMPTask (240/ 7) 61089 1064 ( 0/ 0)%
DHCP Socket Task (240/ 7) 0 0 ( 0/ 0)%
DHCP Proxy Task (240/ 7) 0 0 ( 0/ 0)%
dhcpClientTimerTas (240/ 7) 0 0 ( 0/ 0)%
DHCP Client Task (240/ 7) 0 0 ( 0/ 0)% T 600
BootP (240/ 7) 0 0 ( 0/ 0)% T 300
TransferTask (240/ 7) 848 2 ( 0/ 0)% I
osapiTimer (100/ 60) 13024 2 ( 0/ 0)% T 300
nim_t (100/ 60) 2447 3 ( 0/ 0)%
dtlArpTask ( 7/ 95) 98436 3 ( 0/ 0)%
dtlTask (100/ 60) 41089 20 ( 0/ 0)%
--More-- or (q)uit
dtlDataLowTask ( 7/ 95) 0 0 ( 0/ 0)%
sysapiprintf (240/ 7) 22657 3 ( 0/ 0)%
osapiBsnTimer ( 95/ 62) 0 0 ( 0/ 0)%
fp_main_task (240/ 7) 153068796 26868 ( 0/ 0)% -
Nexus 1KV TACACS+ Not Working
I have been trying to get my Nexus 1KV working with AAA/TACACS+ and I'm stumped.
The short version is that I see where the issue is, but can't seem to resolve it.
When I try to log in using TACACS, it fails. The ACS server reports InvalidPassword.
The CLI on the Nexus shows:
2011 Sep 9 16:37:13 NY_nexus1000v %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2011 Sep 9 16:37:14 NY_nexus1000v %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user gtopf from 192.168.20.151 - sshd[15675]
2011 Sep 9 16:37:23 NY_nexus1000v %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user gtopf from 192.168.20.151 - sshd[15672]
And an AAA test from the nexus fails.
I have good connectivity between the two boxes, I can ping, and obviously the failed login showing on ACS shows that it's talking, but it's just not working.
My config is below (omitted ethernet port configs)
!Command: show running-config
!Time: Fri Sep 9 16:45:49 2011
version 4.2(1)SV1(4a)
no feature telnet
feature tacacs+
feature lacp
username admin password 5 $1$Q50UpgN/$4eu39QmZHLTf3FAkwwdOF1 role network-admin
banner motd #Nexus 1000v Switch#
ssh key rsa 2048
ip domain-lookup
ip domain-lookup
ip name-server 192.168.20.10
tacacs-server timeout 30
tacacs-server host 192.168.20.30 key 7 "j3gp0"
aaa group server tacacs+ TacServer
server 192.168.20.30
deadtime 15
use-vrf management
source-interface mgmt0
hostname NY_nexus1000v
ntp server 192.168.20.10
aaa authentication login default group TacServer
aaa authentication login console group TacServer
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
ip route 0.0.0.0/0 192.168.240.1
vlan 1,20,40,240
lacp offload
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type ethernet system-uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 20,40,240
channel-group auto mode active
no shutdown
system vlan 240
description "System profile for critical ports"
state enabled
port-profile type vethernet data20
vmware port-group
switchport mode access
switchport access vlan 20
no shutdown
description "Data profile for VM traffic 20 VLAN"
state enabled
port-profile type vethernet data40
vmware port-group
switchport mode access
switchport access vlan 40
no shutdown
description "Data profile for VM traffic 40 VLAN"
state enabled
port-profile type vethernet data240
vmware port-group
switchport mode access
switchport access vlan 240
no shutdown
description "Data profile for VM traffic 240 VLAN"
state enabled
port-profile type vethernet system-upilnk
description "Uplink profile for VM traffic"
vdc NY_nexus1000v id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 32 maximum 32
limit-resource u6route-mem minimum 16 maximum 16
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
interface port-channel1
inherit port-profile system-uplink
vem 3
interface port-channel2
inherit port-profile system-uplink
vem 4
interface port-channel3
inherit port-profile system-uplink
vem 5
interface port-channel4
inherit port-profile system-uplink
vem 6
interface mgmt0
ip address 192.168.240.10/24
interface control0
line console
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-1
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-2
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-2
svs-domain
domain id 500
control vlan 240
packet vlan 240
svs mode L2
svs connection vcenter
protocol vmware-vim
remote ip address 192.168.20.127 port 80
vmware dvs uuid "52 8b 1d 50 44 9d d7 1f-b6 25 76 f1 f7 97 d8 5e" datacenter-name 28th St Datacenter
max-ports 8192
connect
vsn type vsg global
tcp state-checks
vnm-policy-agent
registration-ip 0.0.0.0
shared-secret **********
log-levelFYI...
I was able to get TACACS+ auth working using the commands in the Original Post (without the two additional suggestions) as follows...
1000v# conf t
1000v(config)# feature tacacs+
1000v(config)# tacacs-server host 192.168.1.1 key 0
1000v(config)# aaa group server tacacs+ TacServer
1000v(config-tacacs+)# server 192.168.1.1
1000v(config-tacacs+)# use-vrf management
1000v(config-tacacs+)# source-interface mgmt 0
1000v(config-tacacs+)# aaa authentication login default group TacServer local
1000v(config)# aaa authentication login error-enable
1000v(config)# tacacs-server directed-request
I guess the OP had some other problem (perhaps incorrect shared secret??) -
TACACS not working - Need help
Hi,
I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.
Configuration pasted below
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip tacacs source-interface VLAN1
tacacs-server host X.X.X.X
tacacs-server host 10.10.10.4
tacacs-server key 7 ####################333
tacacs-server administration
aaa group server tacacs+ tacacs1
server-private 10.10.10.4 key ############
ip vrf forwarding LAN
ip tacacs source-interface VLAN1Hi sorry for late reply.
Please find below the logs from the router
Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC
Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f
Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START
Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0
Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284
Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1
Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0
Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default'
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL
Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET
Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0
Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD
Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled
Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'
Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default
Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3
Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC
Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'
Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default
Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0
Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2
Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0
Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled
Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'
Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default
Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3
Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC
Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP
Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests
Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found
Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued -
TACACS not working in ASA 8.0(3)
We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454
even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?
thnx in advancewe have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh
local device configs:
aaa-server protocol tacacs+
aaa-server host < ip>
aaa authentication ssh console
aaa authentication http console
access-list extended permit ip any
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map 20 match address
crypto map 20 set peer x.x.x.x
crypto map 20 set transform-set ESP-3DES-MD5
crypto map 20 set reverse-route
crypto map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
crypto isakmp policy 65535
remote ASA
access-list remark MobileAL
access-list extended permit ip any ip add subnet
crypto map 1925 match address outside_1925_cryptomap
crypto map 1925 set peer
crypto map 1925 set transform-set ESP-3DES-MD5
crypto map 1925 set security-association lifetime seconds 86400
crypto map 1925 set nat-t-disable
crypto map 1925 set reverse-route -
Tacacs+ not working on VRF Interface
C4948-10G switch running IOS 15.0(2)SG
ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization network default group tacacs+ local if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip vrf mgmt
rd 100:1
interface fa1
ip vrf forwarding mgmt
IP address 192.168.5.1 255.255.255.0
duplex auto
speed auto
ip vrf forwarding mgmt
aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)
server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)
tacacs-server host 192.168.5.76 key secret
ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)
ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)
ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)
ip tacacs source-interface fa1
sw2#debug tacacs
SW2#debug aaa authentication
SW2#test aaa group tacacs+ tester passwordtest new-code
Feb 4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Feb 4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing
Feb 4 11:36:09.808: TPLUS: processing authentication start request id 0
Feb 4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)
Feb 4 11:36:09.808: TPLUS: Using server 192.168.5.75
Feb 4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout
Feb 4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out
Feb 4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76
Feb 4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout
Feb 4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected
SW2#
Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out
Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up
Feb 4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet
SW2#test aaa group tacacs+ tester passwordtest legacy
Attempting authentication test to server-group tacacs+ using tacacs+
Feb 4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1
Feb 4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Feb 4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412
Feb 4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.
Feb 4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
SW2#
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
SW2#ping vrf mgmt 192.168.5.85
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW2#sh ip route vrf mgmt
Routing Table: mgmt
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.5.75/32 [1/0] via 192.168.5.2
S 192.168.5.76/32 [1/0] via 192.168.5.2
S 192.168.5.85/32 [1/0] via 192.168.5.2
C 192.168.5.0/24 is directly connected, FastEthernet1
SW2#sh ip vrf
Name Default RD Interfaces
mgmt 100:1 Fa1
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtmlHi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
TACACS+ not working on WLC
Hi All,
I have configured tacacs for WLC. But I am not able to login to WLC using TACACS username and password.
Getting following message
Tue Sep 22 15:26:50 2009: Forwarding request to 10.0.0.1
6 port=49
Tue Sep 22 15:26:50 2009: tplus response: type=1 seq_no=2 session_id=ecf27238 le
ngth=6 encrypted=0
Tue Sep 22 15:26:50 2009: TPLUS_AUTHEN_STATUS = UNKNOWN(1)
Thanks
Jamal.SThere is radius happening on the auth portion of the WLC.
There seems to be a misconfiguration issue.
What do the ACS failed logs say?
Can you make sure you followed exactly:
http://cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html#wpmkr1261119 -
Per VRF Tacacs+ - not working
I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
I have the following configured:
aaa new-model
aaa group server tacacs+ MYGROUP
server-private 1.2.3.4 key cisco
ip vrf forwarding vpn_nms
ip tacacs source-interface Loopback100
aaa authentication login default local
aaa authentication login MYGROUP group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group MYGROUP if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip cef
ip vrf forwarding
ip vrf vpn_nms
rd 65XXX:3
interface Loopback100
description NMS LOOPBACK
ip vrf forwarding vpn_nms
ip address 10.10.10.10 255.255.255.255
tacacs-server host 1.2.3.4
tacacs-server directed-request
tacacs-server key cisco
line con 0
privilege level 15
logging synchronous
login authentication MYGROUP
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication MYGROUP
length 0
transport input all
I know some of this config is redundant but I have been trying different things and getting nowhere.Hi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
TACACS is not working in 7206 VXR
Hi all,
TACACS is not working in my 7206 VXR.When i am telneting in to router it is showing Authorization Failed.I can able to login using console.
KEY is same b/w router and the server .Please help.
7206(config)#do sh run | in aaa|tacacs
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip tacacs source-interface Loopback0
tacacs-server host 202.148.202.174
tacacs-server key 7 073D055B42291A413630384D2E
GURG-7206-EDGE1(config)#do ping 202.148.202.174 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.148.202.174, timeout is 2 seconds:
Packet sent with a source address of 202.148.199.196
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 msIt is most likely a configuration or rechability issue. Double check
that you've got the right IP in the config, and that there's nothing
interfering with UDP between the two. With tacacs, it's good idea
to have known backup telnet & enable passwords, this same kind of
thing can happen when you have a badly congested link or some kind of
network problem and life is better when you can get into the router. -
TACACS enable password is not working after completing ACS & MS AD integration
Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
2. Enable password is not working (using the same user password configured in MS AD.
3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
Switch Tacacs Configuration
aaa new-model
aaa authentication login default none
aaa authentication login ACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec ACS group tacacs+ local
aaa authorization commands 15 ACS group tacacs+ local
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa authorization console
aaa session-id common
tacacs-server host 10.X.Y.11
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key gacakey
line vty 0 4
session-timeout 5
access-class 5 in
exec-timeout 5 0
login authentication ACS
authorization commands 15 ACS
authorization exec ACS
accounting commands 15 ACS
accounting exec ACS
logging synchronous
This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
Regards,Hi Edward,
I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
Note:
I also attached here the captured screen and debug result for the "shell profiles" -
TACACS auth working via SSH, but not HTTP (ACS 5.1 / 3560)
Experts,
My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.
Here is my AAA config, followed by a debug:
aaa new-model
aaa authentication login ACCESS group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec ACCESS group tacacs+
aaa authorization commands 1 Priv1 group tacacs+ none
aaa authorization commands 15 Priv15 group tacacs+ none
aaa authorization network ACCESS group tacacs+
aaa accounting exec ACCESS start-stop group tacacs+
aaa accounting commands 0 ACCESS start-stop group tacacs+
aaa accounting commands 1 ACCESS start-stop group tacacs+
aaa accounting commands 15 ACCESS start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication ACCESS
ip http authentication aaa exec-authorization ACCESS
ip http authentication aaa command-authorization 1 Priv1
ip http authentication aaa command-authorization 15 Priv15
ip http secure-server
no ip http server
tacacs-server host X.X.X.X key 7
tacacs-server timeout 3
tacacs-server directed-request
Debug:
47w4d: HTTP AAA Login-Authentication List name: ACCESS
47w4d: HTTP AAA Exec-Authorization List name: ACCESS
47w4d: HTTP: Authentication failed for level 15
Shell authorization profiles are working in ACS when SSHing to devices (Priv1 and Priv15), and I can't figure out why its not working for HTTPS.
Any ideas?Thank you for your response, here is the debug from the 3560:
BC-3560-48-6-1-1#
48w0d: HTTP AAA Login-Authentication List name: ACCESS
48w0d: HTTP AAA Exec-Authorization List name: ACCESS
48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
48w0d: TPLUS: processing authentication start request id 0
48w0d: TPLUS: Authentication start packet created for 0(varnumd)
48w0d: TPLUS: Using server 10.10.0.16
48w0d: TPLUS(00000000)/0/NB_WAIT/458EDA8: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 27 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: Would block while reading
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 28 bytes response
48w0d: TPLUS(00000000)/0/458EDA8: Processing the reply packet
48w0d: TPLUS: Received authen response status GET_PASSWORD (8)
48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
48w0d: TPLUS: processing authentication continue request id 0
48w0d: TPLUS: Authentication continue packet generated for 0
48w0d: TPLUS(00000000)/0/WRITE/4332F88: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/WRITE: wrote entire 30 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read entire 18 bytes response
48w0d: TPLUS(00000000)/0/4332F88: Processing the reply packet
48w0d: TPLUS: Received authen response status PASS (2)
48w0d: TPLUS: Queuing AAA Authorization request 0 for processing
48w0d: TPLUS: processing authorization request id 0
48w0d: TPLUS: Inappropriate protocol: 25
48w0d: TPLUS: Sending AV service=shell
48w0d: TPLUS: Sending AV cmd*
48w0d: TPLUS: Authorization request created for 0(varnumd)
48w0d: TPLUS: Using server 10.10.0.16
48w0d: TPLUS(00000000)/0/NB_WAIT/4332E18: Started 3 sec timeout
48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 46 bytes request
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: Would block while reading
48w0d: TPLUS(00000000)/0/READ: socket event 1
48w0d: TPLUS(00000000)/0/READ: read 0 bytes
48w0d: TPLUS(00000000)/0/READ/4332E18: timed out
48w0d: TPLUS: Inappropriate protocol: 25
48w0d: TPLUS: Sending AV service=shell
48w0d: TPLUS: Sending AV cmd*
48w0d: TPLUS: Authorization request created for 0(varnumd)
48w0d: TPLUS(00000000)/0/READ/4332E18: timed out, clean up
48w0d: TPLUS(00000000)/0/4332E18: Processing the reply packet
48w0d: HTTP: Authentication failed for level 15 -
ACS 5.3 - comman sets not working
We installed ACS 5.3 on Vmware -cent os , and a cisco router is configured to authenticate to this TACACS+ server ,
i am able to login to router using the specified TACACS username ./ password and able to see the hits also as below in the policy ,
But the Command sets are not working as definded, pls help me to find the problem..
Filter:
StatusNameIdentity GroupNDG:LocationNDG:Device TypeTime And DateCommand SetsShell ProfileHit Counts
Match if:
EqualsNot Equals
EnabledDisabledMonitor Only
Status
Name
Conditions
Results
Hit Count
Identity Group
NDG:Location
NDG:Device Type
Time And Date
Command Sets
Shell Profile
1
RO ACCESS
in All Groups:READ ONLY ACCESS
in All Locations
in All Device Types
-ANY-
READ ONLY POLICY
RO SHELL
10
2
RESTRICTED ACCESS
in All Groups:RESTRICTED ACCESS
in All Locations
in All Device Types
-ANY-
RESTRICTED USER POLICY
Permit Access
1
3
SUPER ADMIN ACCESS
in All Groups:FULL ACCESS
in All Locations
in All Device Types
-ANY-
PERMIT ALL POLICY
Permit Access
0Logs for such a RO-read only user login
AAA Protocol > TACACS+ Authentication Details
Date :
August 27, 2012
Generated on August 28, 2012 7:13:37 AM UTC
Authentication Details
Status:
Passed
Failure Reason:
Logged At:
Aug 27, 2012 12:18 PM
ACS Time:
Aug 27, 2012 12:18 PM
ACS Instance:
acsserver
Authentication Method:
PAP_ASCII
Authentication Type:
ASCII
Privilege Level:
15
User
Username:
muthu
Remote Address:
172.20.1.25
Network Device
Network Device:
Default Network Device
Network Device IP Address:
192.168.251.26
Network Device Groups:
Device Type:All Device Types, Location:All Locations
Access Policy
Access Service:
TAFE POLICY1
Identity Store:
Internal Users
Selected Shell Profile:
RO SHELL
Active Directory Domain:
Identity Group:
All Groups:READ ONLY ACCESS
Access Service Selection Matched Rule :
Rule-2
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Internal Users, Internal Users
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Default
Authorization Policy Matched Rule:
RO ACCESS
Authorization Exception Policy Matched Rule:
Other
ACS Session ID:
acsserver/132692348/212
Service:
Login
AV Pairs:
Response Time:
4
Other Attributes:
ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=97
Protocol=Tacacs
Type=Authentication
Action=Login
Port=tty194
Action=Login
Port=tty194
UserIdentityGroup=IdentityGroup:All Groups:READ ONLY ACCESS
Authentication Result
Type=Authentication
Authen-Reply-Status=Pass
Steps
Get TACACS+ default network device setting.
Received TACACS+ Authentication START Request
Evaluating Service Selection Policy
Matched rule
Selected Access Service - TAFE POLICY1
Returned TACACS+ Authentication Reply
Get TACACS+ default network device setting.
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Evaluating Identity Policy
Matched Default Rule
Selected Identity Store - Internal Users
Looking up User in Internal Users IDStore - muthu
Found User in Internal Users IDStore
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Get TACACS+ default network device setting.
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Evaluating Identity Policy
Matched Default Rule
Selected Identity Store - Internal Users
Looking up User in Internal Users IDStore - muthu
Found User in Internal Users IDStore
Authentication Passed
Evaluating Group Mapping Policy
Matched Default Rule
Evaluating Exception Authorization Policy
No rule was matched
Evaluating Authorization Policy
Matched rule
Returned TACACS+ Authentication Reply
Additional Details
Diagnostics ACS Configuration Changes -
1. TACAS+ Accounting and Logged in Users report is not working on ACS 4.1(1
Hi,
I am facing problem with ACS 4.1 accounting, TACAS+ Accounting and Logged in Users report are not working, the csv file is been generated but nothing is showened in the file.
I have checked the documents related to ACS 4.1, it says that there is a bug related to command accounting âCSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23â.
Tried upgrading the same with the patch applAcs-4.1.1.23.3.zip, still it is not working.
Other reports are working fine.
1. TACAS+ Accounting - not working
2. Logged in Users - not working
3. TACAS+ Administration - working
4. Passed Authentication - working
5. Failed Attempts - working
Any suggestions or any idea, please revert.
Regards
VineetHi,
Thanks
Yes I have configured the command âaaa accounting exec default start-stop group tacacs+â
As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
Regards,
Vineet -
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
MAC Authentication does not work
My MAC Authentication does not work.
I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
I can ping the ACS, I can ping my AP, I can ping my client.
I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
I have the latest drivers for both AP and my 350 Client.
I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
Station 0009.7c9f.xxxx Authentication failed
this is my config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname GOM_1200IOS
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
server 10.1.2.197 auth-port 1812 acct-port 1812
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius wlccp_rad_infra
aaa group server radius wlccp_rad_eap
aaa group server radius wlccp_rad_leap
aaa group server radius wlccp_rad_mac
aaa group server radius wlccp_rad_any
aaa group server radius wlccp_rad_acct
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_eap_client group wlccp_rad_eap
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authentication login wlccp_mac_client group wlccp_rad_mac
aaa authentication login wlccp_any_client group wlccp_rad_any
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
aaa session-id common
enable secret xxxxxx
username Cisco password xxxx
ip subnet-zero
iapp standby timeout 5
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
ssid GOM_1230
authentication open mac-address mac_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2462
station-role root
no cdp enable
dot1x reauth-period server
dot1x client-timeout 600
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.43.45 255.255.240.0
no ip route-cache
ip default-gateway 172.16.47.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
access-list 700 permit 0006.25b1.2f79 0000.0000.0000
access-list 700 permit 000a.b78b.2d19 0000.0000.0000
access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
no cdp run
snmp-server community GOM_AP1230 RO
snmp-server enable traps tty
radius-server local
group AP1230
user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end
What is wrong?
Thanks very much for your help.I figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards,
Maybe you are looking for
-
Query for vendor details in F-53
Hi, Need help on query development for vendor payment through F-53 with selection criteria Co. code, Fiscal Year, Fiscal Period, Transaction code and document type. Required output would be Co. code, Fiscal year, vendor number, document number and am
-
Rolling Averages in Sql Server 2008
I dint get the perfect answer last time and i am still working on the exact output that i need. I have the two integer columns in my table and i have to calculate averages for those two columns.Hence my output should be date col1 col2 AVGcol1 AVGcol
-
How to value non-table items in Forms
Portal 3.0.7.6.2 on NT I am trying to display non-table items on a Form. I want to do things like: Display the Credit Card Type (non-table item) based on the Credit Card Number (table column). Use a foreigh key (table column) to retrieve related data
-
the input signal is between -5V to +5V, but DAQ card output is always -10V.
-
MacBook Pro/Yosemite problems with Adobe CS4
I have a new MacBook Pro and Adobe CS4. Whenever I try to open any of the CS4 programs, I get an error message that I need to download legacy Java SE 6 runtime. I have a newer version of Java (8), but I still get the message. I attempted to downlo