Tacacs "Problem"

Folks, if I can leverage your headspace for a moment... We have Tacacs security authentication to our switches and routers. It is configured to request a user name, and then a password. The password is a dynamic numeric combination of 2 separate numbers - a numeric value held privately by the user, appended to the key code showing on the RSA SecurID key fob, at that time. So obviously the password credentials to gain entry to the device will keep changing every minute. We have an application that needs to automatically login to a router (or switch) and pull off the config regularly at a scheduled time. This application will only be able to offer to Tacacs a user name and STATIC password (Not one that keeps changing every 60 seconds). My question therefore is how can we configure the Tacacs process to deal with a request for "static" password (by which I mean a password that does not change) for one particular user (i.e. the application) and at the same time the Tacacs process should also continue to recognise other usernames that DO require the SecurID dynamic password entry system.
I am working though the Tacacs info at cisco.com but it is dense subject matter and I have time pressure - Thanks in advance - [email protected]

ACS will always check its internal user database first before sending authentication parameters (username/password) off to a configured external server.
All you need to do is add the static username/password into the ACS user database, the application will then be able to use that. When any "user" connects in, ACS won't find that userid in its internal database and will then go and send the credentials off to the external RSA server just like it is now.

Similar Messages

  • Tacacs problem with ACS 4.2 NDG and shell authorization sets

    Hi all,
    I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
    I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
    One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
    Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
    Thanks everyone....

    Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
    What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
    Thanks,
    Tarik Admani

  • TACACS+ problem when going via console.

    Hi there,
    After going through some topics and trying everything I could fine I am relaying on you all to help me further.
    I have an Switch and have an AAA configured for login via ACS with AD account. All works fine via Telnet, but connected to the console, I always get to not enable prompt.
    I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:
    Username: admin
    Password:
    switch>ena
    Password:
    % Error in authentication.
    switch>
    Pasted below you can find my current config regarding the login methods:
    aaa new-model
    aaa authentication fail-message ^C
    User Authentication has failed. If you are not an authorized user,
    please disconnect immediately.
    Any unauthorized access attempts will be investigated and will be
    subject to prosecution under local laws and ordinances.
    ^C
    aaa authentication login default group tacacs+ local
    aaa authentication login console group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 5 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization commands 15 console group tacacs+ local
    aaa authorization network default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    line con 0
    login authentication console
    stopbits 1
    line vty 0 4
    password 7 02115C0918030C71424A1A
    line vty 5 15
    password 7 0718791E5D0C1A55191618
    Anybody any suggestions for me to try out?

    Jorge
    There are a couple of aspects of your situation which I am puzzled about. Your post talks about logging in and seems to indicate that you are logging in using a local account. But the config is quite clear that TACACS is the primary authentication method. Is the TACACS server running and is the router using TACACS?
    If the TACACS server is running and is communicating with the router, I am guessing that the local user ID is also a user ID that is configured in TACACS. This would explain why authentication would work. Can you clarify this? And if this is the case I would guess that the user ID is not configured in TACACS to have enable mode access.
    On the possibility that the router is not communicating with the TACACS server I would suggest that you try using the enable secret (or enable password - which ever you have configured) rather than the user password at the prompt for enable mode.
    The other part of your question is more clear. Your question says that when you login through vty you go straight to enable mode but on the console you go to privilege level 1. This is intentional behavior on the router. Going straight into enable mode is a function of authorization (in addition to authentication). And by default Cisco does this for vty and does not do this for the console (the danger of locking yourself out of the router if something is misconfigured is significant). If you are confident of the configuration and want to go directly into enable mode on the console you can use this (hidden) command under line con 0:
    aaa authorization console
    HTH
    Rick

  • Dynamic IP/Tacacs+ problem

    Hi,
    I have several sites using Cisco 877 routers connecting to the Internet through a broadband connection. The ISP is giving us a dynamic ip to the routers. I want to reach an ACS server (using Dynamic DNS) to authenticate users to have access to the internet.
    Can the router be configured to look for the Tacacs server using the server domain (www.whatever.com), instead of the ip address? If so, how?
    Any help will be very much appreciated.
    Regards,
    Eduardo

    You may consider using a dynamically negotiated IPsec tunnel and use the local ethernet on the router (mostly a private IP) to authenticate. You can force the interface to be used for authentication using the command:
    ip radius source-interface ...
    In that way, you will always have a unique ip for authentication.
    Regards,
    Leo

  • Tacacs+ problem with ACS 5.2

    I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
    Switch#
    6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
    6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
    6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
    6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
    6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
    6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
    Your kind help will be highly appreciated.

    Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
    YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

  • TACACS Problem on CSS

    Dear ALL,
    we have some trouble with TACACS on the CSS. We have configured all relevant stuff on the box, but we will receive no successfull replay from the Server, when we use our RADIUS Server then the reply will be done very nice and successfully. The Setup is the easiest way the Server will be in the same subnet as the CSS. ANy hints or tricks ?
    The log from CSS is this :
    SEP 5 02:59:28 1/1 9 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b07
    SEP 5 02:59:28 1/1 10 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
    SEP 5 02:59:28 1/1 11 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
    SEP 5 02:59:28 1/1 12 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary
    SEP 5 02:59:28 1/1 13 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
    SEP 5 02:59:28 1/1 14 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary
    SEP 5 02:59:28 1/1 15 SECURITY-7: Security Manager sending success 0 reply to caller 1c01
    SEP 5 02:59:28 1/1 16 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b07
    SEP 5 03:00:01 1/1 17 NETMAN-6: Session logged out due to idle timer
    SEP 5 03:03:10 1/1 18 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b09
    SEP 5 03:03:10 1/1 19 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
    SEP 5 03:03:10 1/1 20 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
    SEP 5 03:03:10 1/1 21 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary
    SEP 5 03:03:10 1/1 22 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
    SEP 5 03:03:10 1/1 23 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary
    SEP 5 03:03:10 1/1 24 SECURITY-7: Security Manager sending success 0 reply to caller 1c01
    SEP 5 03:03:10 1/1 25 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b09
    SEP 5 03:03:41 1/1 26 NETMAN-6: Session logged out due to idle timer

    Hi There,
    here are the config.
    we Have also tried with the quoted text password. Decrypted and encrypted. Nothing helps. Thx for a solution
    virtual authentication primary tacacs
    virtual authentication secondary local
    cdp run
    logging subsystem security level debug-7
    logging subsystem netman level info-6
    tacacs-server 192.168.0.5 49
    tacacs-server authorize config
    tacacs-server key testsecret

  • ACSv3.3 problem with range if config

    Hi,
    i have a problem with the command on Cisco Device when i configure a range of Interface then i have this messages:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Normale Tabelle";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    % Authorization failed.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Normale Tabelle";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    EYAMPLE: 1
    rw-sw-19#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    rw-sw-19(config)#interface range Fa0/3 - 24
    rw-sw-19(config-if-range)#switchport voice vlan 1201
    % Authorization failed.
    % Authorization failed.
    rw-sw-19(config-if-range)#power inline auto
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    rw-sw-19(config-if-range)#end
    EYAMPLE: 2
    rw-sw-03(config)#interface range Fa0/2 - 48
    rw-sw-03(config-if-range)#switchport voice vlan 1501
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    rw-sw-03(config-if-range)#power inline auto
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    % Authorization failed.
    rw-sw-03(config-if-range)#end
    rw-sw-03#
    I can reproduce this problem as often as you want.
    Just enter the same commands.
    The number of   “ % Authorization failed”   may differ, but you should be able to get them.
    I have notice this, because I use a script to configure the VoIP VLAN on these switch.
    I notice that this problem has ONLY happen on switch which are POE.
    With the switch which are not POE, I did not see this problem up to now.
    I look the Group setup on the ACS and see that the enable options is : Max Privilege for any AAA Client Level 15
    Can it be an Tacacs problem or is this maybe a cisco device problem.
    regards,
    murat ayas

    Do we see any  hits in  failed attempts of ACS? When ACS denies any request we get "Command  Authorization failed" but here we see % Authorization failed.
    Please enable debug and see if it  tries to send authorization request to ACS or not. If there are no  authorization debug then issue is with device it self.
    debug  tacacs
    debug aaa authorization
    Regards,
    ~JG
    Do rate   helpful posts

  • Cisco Prime Infrastructure 1.3 Tacacs+ authorization problem

    Hello,
    We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.
    We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:
    21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,
    21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP
    We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.
    Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?
    Any help in finding solution for this problem will be very appreciated.
    Regards,
    Jelena

    Hi,
    On the Cisco PI side we have:
    1. Added Tacacs+ server under Administration > AAA > TACACS+
        We have entered all required parameters
    2. Enabled AAA Tacacs+ mode under Administration > AAA > AAA Mode and we have choosed on auth failure or no server response oprion.
    On the ACS side:
    1. Under Network Configuration > New Entry we have added Cisco PI
    2.  Under Interface Configuration >TACACS+ (Cisco IOS) > New Services >
    we have added Prime and HTTP (we have checked box infront of these service).
    3. Under Group Setup > Edit Settings > prime HTTP service we have added custom attributes that we have copied from Cisco PI Admin group. We have also exported virtual domain information from Prime and have imported them on the beggining of the custom attributes and we have also tried to place that virtual domain information on the end but we have the same behavior.
    For some reason ACS doesn't know how to return authorization information.
    Regards,
    Jelena

  • Tacacs authentication problem.

    Hy,
    I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
    All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
    I have an ACS v.4.x to use as a Tacacs server.
    In all the equipments I have aaa authentication with tacacs and vlans.
    To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
    With this scenario the tacacs authentication works.
    If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
    I do not understand why!!?
    I have another problem, this time with the firewall.
    I configured the tacacs and the aaa in the firewall, as advised by Cisco.
    But it seems that it doesn’t work!
    In this two cases only the local authentication works.
    Can you help me, please?
    Thanks in advance,
                          Rui Oliveira

    Hy,
    I am doing tests in a Lab.
    So, the addresses presented here are not Internet routable.
    The configuration for the tacacs at the ASA is:
    aaa-server TACACS protocol tacacs+
    aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
    key mykey
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console TACACS LOCAL
    aaa authentication http console TACACS LOCAL
    aaa authentication ssh console TACACS LOCAL
    aaa authorization command LOCAL
    aaa accounting enable console TACACS
    aaa accounting telnet console TACACS
    aaa accounting ssh console TACACS
    aaa local authentication attempts max-fail 5
    aaa authorization exec LOCAL
    I´m doing the tests with an ASA with a the IP address 10.183.0.61.
    And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
    Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
    I have another interface that a called GESTAO, with IP address 10.183.0.61.
    This interface GESTAO is connected to a management vlan.
    My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
    I send the logging file that I take from my firewall.
    Thanks,
               Rui

  • TACACS + Command Logging Problems

    All,
    Working on a problem that I'm having getting command logging setup for my switch / router infrastructure.  Below is my config, authentication is working, both console & SSH.  Authorization is also working.  Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
    I'm currently running ACS V4.1.  Also, what is the difference between using named auth / accounting lists, and the default?  Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
    Configs:
    aaa new-model
    aaa authentication login SSH group tacacs+ local
    aaa authentication login CONSOLE local
    aaa authorization console
    aaa authorization exec CONSOLE local
    aaa authorization exec SSH group tacacs+
    aaa authorization network CONSOLE local
    aaa authorization network SSH group tacacs+
    aaa accounting exec SSH start-stop group tacacs+
    aaa accounting commands 0 SSH start-stop group tacacs+
    aaa accounting commands 1 SSH start-stop group tacacs+
    aaa accounting commands 15 SSH start-stop group tacacs+
    aaa accounting network SSH start-stop group tacacs+
    access-list 1 permit X.X.56.0 0.0.0.255
    tacacs-server host X.X.X.X key XXXXXXXXXXXXX
    tacacs-server timeout 30
    tacacs-server directed-request
    control-plane
    line con 0
    session-timeout 10
    authorization exec CONSOLE
    login authentication CONSOLE
    line vty 0 4
    session-timeout 10
    access-class 1 in
    authorization exec SSH
    accounting commands 0 SSH
    accounting commands 1 SSH
    accounting commands 15 SSH
    accounting exec SSH
    login authentication SSH
    transport input ssh
    line vty 5 15
    session-timeout 10
    access-class 1 in
    authorization exec SSH
    accounting commands 0 SSH
    accounting commands 1 SSH
    accounting commands 15 SSH
    accounting exec SSH
    login authentication SSH
    transport input ssh
    Any help is appreciated.
    Thanks!
    Jon

    This looks fine:
    3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
    3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
    3d22h: TPLUS: processing accounting request id 52
    3d22h: TPLUS: Sending AV task_id=114
    3d22h: TPLUS: Sending AV timezone=UTC
    3d22h: TPLUS: Sending AV service=shell
    3d22h: TPLUS: Sending AV priv-lvl=15
    3d22h: TPLUS: Sending AV cmd=write memory
    3d22h: TPLUS: Accounting request created for 52(testusr)
    3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
    3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
    3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
    3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
    3d22h: TPLUS(00000034)/0/READ: socket event 1
    3d22h: TPLUS(00000034)/0/READ: Would block while reading
    3d22h: TPLUS(00000034)/0/READ: socket event 1
    3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
    3d22h: TPLUS(00000034)/0/READ: socket event 1
    3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
    3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
    3d22h: TPLUS: Received accounting response with status PASS
    On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
    Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
    service timestamp debug datetime localtime msec
    service timestamp log datetime localtime msec

  • ACS 4.2 Problem: Change of user TACACS attribute

    Hi everybody,
    I'm trying to change the user TACACS+ attribute and the following error happens:
    ERROR
    The requested URL could not be retrieved
    While trying to retrieve the URL: http://acs-lab:10765/setup.exe?
    The following error was encountered:
    Zero Sized Reply
    Squid did not receive any data for this request.
    Your cache administrator is webmaster.
    Generated Mon, 27 Jul 2009 20:18:00 GMT by ubuntu-server-606.localdomain (squid/2.6.STABLE16)
    The attribute that I changed in TACACS+ Settings is:
    - select: Shell (exec)
    - select: No callback verify - Enable
    After, I click Submit and the previous error happens.
    Does anybody knows why this happens?
    Thanks,
    J A Stuchi

    Your local network might be using squid caching server. You get zero sized reply when there is no response from the website, squid is trying to cache.
    Squid has the policy of connection timeout. May be squid was waiting for reply from your site, and after the timeout, its throwing this error.
    So, the problem might be with your local network… and partly your webhost because your site is slow

  • CiscoWorks Vs TACACS+ ??!! sw management problem--Pls help me out

    Hi Gurus,
    I have a query to ask on the software image management.Please help me out.
    There are many cisco devices in my client place, but only one device is creating a problem.
    it is 2950 catalyst switch. CiscoWorks is complaining that 'it has no image to import', when we run a job to fetch the image from the switch. but it has image under root directory of Flash. After going through RME troublshooting and tips , I came to know that the connection protocol is telnet and ssh. Then I add the following commands in TACACS+ (to allow CW2K) user which is a centralized authentication system for all user including CiscoWorks.
    Cisco has mentioned this error in following URL:
    http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod_troubleshooting_guide09186a008036dff2.html
    It looks like it is having difficulty to recognize the Flash (though it shows the files in the inventory) and at the same time, I am not sure whether the commands are complete.
    I allowed the following commands to be used by CiscoWorks through TACACS+:
    1. copy tftp flash
    2. copy flash tftp
    3. erase flash
    4. show version
    5. show flash
    Refer the URL: http://www.cisco.com/en/US/customer/products/sw/cscowork/ps2073/prod_troubleshooting_guide09186a008036dff2.html#wp1045599
    Screen shot of the error and Detailed inventory report of the device are attached here.
    Please help me out with your expertise whether it is a TACACS which is stopping CW2K to view the Flash and files? or it is a problem with CiscoWorks to see the Flash.

    This document describes the procedure to configure the CiscoWorks Hosting Solution Engine 1.8.1 (HSE) using ACS as a TACACS+/RADIUS authentication module.
    ACS TACACS+ Setup for HSE
    ACS RADIUS Setup for HSE
    On Cisco.com, see also the Administration chapter of the User Guide for the CiscoWorks Hosting Solution Engine 1.8.1.
    http://www.cisco.com/en/US/products/sw/cscowork/ps150/prod_connection_guide09186a00802b2bae.html

  • TACACS login problem

    Here's the config:
    aaa new-model
    ip tacacs source-interface Loopback0
    tacacs-server host 10.1.1.100
    tacacs-server directed-request
    Here's the debug:
    R7#test aaa group t U1 cisco new-code
    Trying to authenticate with Servergroup tacacs+
    *Mar 1 03:17:17.816: TPLUS: Queuing AAA Authentication request 0 for processing
    *Mar 1 03:17:17.820: TPLUS: processing authentication start request id 0
    *Mar 1 03:17:17.820: TPLUS: Authentication start packet created for 0(U1)
    *Mar 1 03:17:17.820: TPLUS: Using server 10.1.1.100User rejected
    R7#
    *Mar 1 03:17:22.824: TPLUS(00000000): Select Timed out
    *Mar 1 03:17:22.824: TPLUS(00000000) Error connecting to socket 0
    *Mar 1 03:17:22.824: %TAC+: no address for get_server
    I can't find the sys message in the doc. Any ideas?
    TIA

    Disregard....
    routing problem
    TPLUS(00000000) Error connecting to socket 0
    Doh!

  • Problems getting TACACS and SNTP to cork on CSS11500

    Hi,
    I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s
    I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
    Am I missing something obvious?
    I've pasted the relevant parts of the config below
    Thanks in advance,
    Dom
    lab-fe-2# show run
    !Generated on 11/20/2009 09:40:18
    !Active version: sg0820303
    configure
    !*************************** GLOBAL ***************************
      sntp primary-server 10.52.240.1 version 3
      sntp secondary-server 10.52.240.2 version 3
      virtual authentication primary tacacs
      virtual authentication secondary local
      tacacs-server key xxxxxxxxxxxxx
      tacacs-server 10.52.255.201 49
      ip management route 10.52.240.0 255.255.240.0 10.55.2.252
      ip route 0.0.0.0 0.0.0.0 10.55.3.254 1
    !************************* INTERFACE *************************
    interface e1
      bridge vlan 2503
      phy 100Mbits-FD
    interface e2
      bridge vlan 2004
      phy 100Mbits-FD
    interface Ethernet-Mgmt
      phy 10Mbits-FD
    !************************** CIRCUIT **************************
    lab-fe-2# show boot
    !************************ BOOT CONFIG ************************
      ip address 10.55.2.245
      subnet mask 255.255.255.0
      primary boot-file sg0820303
      primary boot-type boot-via-disk
      gateway address 10.55.2.252
    lab-fe-2#
    lab-fe-2# show tacacs-server
    Per-Server Status:
    IP/Port              State   Primary        Authen.      Author.      Account
    10.52.255.201:49     Dead    No                   0            0            0
    Totals:                                           0            0            0
    Per-Server Configuration:
    IP/Port              Key              Server Timeout        Server Frequency
    10.52.255.201:49     Not Configured   None                  None
    Global Configuration Parameters:
    Global Timeout:                5
    Global KAL Frequency:          5
    Global Key:                    Configured
    Authorize Config Commands:     No
    Authorize Non-Config Commands: No
    Account Config Commands:       No
    Account Non-Config Commands:   No
    Send Full Command:             Yes
    end of buffer.
    lab-fe-2#
    lab-fe-2#
    lab-fe-2#
    lab-fe-2#

    I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server
    over the management interface unless the TACACS server is located on the same subnet as the management interface;
    The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.
    Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.
    I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.
    The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.
    Cheers, Dom   

  • Problem setting 7606 router for TACACS+ authentication

    Hello Support Community,
    I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
    I use the two servers to authenticate many other Cisco devices in the network they are working fine.
    I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
    The server key is hidden but at the time of configuration, I can ascertain that it's correct.
    The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
    Please study the outputs below and help point out what I may need to change.
    PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
    http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
    Please help I'm stuck.
    ROUTER#sh running-config | sec aaa
    aaa new-model
    aaa group server tacacs+ admin
    server name admin
    server name admin1
    ip vrf forwarding OAM
    ip tacacs source-interface GigabitEthernet1
    aaa authentication login admin group tacacs+ local enable
    aaa session-id common
    ROUTER#sh running-config | sec tacacs
    aaa group server tacacs+ admin
    server name admin
    server name admin1
    ip vrf forwarding OAM
    ip tacacs source-interface GigabitEthernet1
    aaa authentication login admin group tacacs+ local enable
    tacacs server admin
    address ipv4 1.1.1.1
    key 7 XXXXXXXXXXXXXXXXXXXX
    tacacs server admin1
    address ipv4 2.2.2.2
    key 7 XXXXXXXXXXXXXXXXxxxx
    line vty 0 4
    login authentication admin
    ROUTER#sh tacacs
    Tacacs+ Server -  public  :
                   Server name: admin
                Server address: 1.1.1.1
                   Server port: 49
                  Socket opens:         15
                 Socket closes:         15
                 Socket aborts:          0
                 Socket errors:          0
               Socket Timeouts:          0
       Failed Connect Attempts:          0
            Total Packets Sent:          0
            Total Packets Recv:          0
    Tacacs+ Server -  public  :
                   Server name: admin1
                Server address: 2.2.2.2
                   Server port: 49
                  Socket opens:         15
                 Socket closes:         15
                 Socket aborts:          0
                 Socket errors:          0
               Socket Timeouts:          0
       Failed Connect Attempts:          0
            Total Packets Sent:          0
            Total Packets Recv:          0
    Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 
    Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
    Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
    Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
    Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
    Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
    Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
    Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
    Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
    Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
    ROUTER#sh ver
    Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Fri 30-Mar-12 08:34 by prod_rel_team
    ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
    BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
    ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
    Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
    System returned to ROM by reload (SP by reload)
    System restarted at 20:00:59 UTC Wed Aug 28 2013
    System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
    Last reload type: Normal Reload
    Last reload reason: power-on
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
    Processor board ID FOX1623G61B
    BASEBOARD: RSP720
    CPU: MPC8548_E, Version: 2.1, (0x80390021)
    CORE: E500, Version: 2.2, (0x80210022)
    CPU:1200MHz, CCB:400MHz, DDR:200MHz,
    L1:    D-cache 32 kB enabled
            I-cache 32 kB enabled
    Last reset from power-on
    3 Virtual Ethernet interfaces
    76 Gigabit Ethernet interfaces
    8 Ten Gigabit Ethernet interfaces
    3964K bytes of non-volatile configuration memory.
    500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
    Configuration register is 0x2102

    In order to resolve this issue. Please replace the below listed command
    aaa authentication login admin group tacacs+ local enable
    with;
    aaa authentication login default group admin local enable
    You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
    Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

Maybe you are looking for

  • Ssrs 2008 r2 set up a 'toggle' link

    In an SSRS 2008 r2 existing dashboard, I want to allow the user to click on a link and then a list of further links can be displayed for the user to pick from. Basically I want the sublinks not to be displayed until they link on the 'main' link is se

  • Price difference between the requisition and the order

    Hi All, There is new functionality in ERP6 that checks the difference in price price between the requisition and the order. The configuration is under Purchase Requisition -> Tolerance Limits -> Define Tolerance Keys. This is very useful functionalit

  • Deploying Applications to Netweaver CE Application Server

    Hi, How does one deploy an application archive (SCA) to a Netweaver CE application server, <i>without</i> having to use the Netweaver Development Studio? Walter

  • Mini 110

    I have a Mini 110, asked for Bios Password  every time power on after I fix CMOS battery, I input password 3 times  tu got a error code # 2MC8461J8K. I need Masterpassword for this computer please, Thanks  This question was solved. View Solution.

  • No matter how I set it up, iCal seems to double my entries

    How do I keep from getting two or three copies of every entry in my calendar?  I have a MBP, iPad 2, iPod Touch syncing calendar through icloud