Tacacs "Problem"
Folks, if I can leverage your headspace for a moment... We have Tacacs security authentication to our switches and routers. It is configured to request a user name, and then a password. The password is a dynamic numeric combination of 2 separate numbers - a numeric value held privately by the user, appended to the key code showing on the RSA SecurID key fob, at that time. So obviously the password credentials to gain entry to the device will keep changing every minute. We have an application that needs to automatically login to a router (or switch) and pull off the config regularly at a scheduled time. This application will only be able to offer to Tacacs a user name and STATIC password (Not one that keeps changing every 60 seconds). My question therefore is how can we configure the Tacacs process to deal with a request for "static" password (by which I mean a password that does not change) for one particular user (i.e. the application) and at the same time the Tacacs process should also continue to recognise other usernames that DO require the SecurID dynamic password entry system.
I am working though the Tacacs info at cisco.com but it is dense subject matter and I have time pressure - Thanks in advance - [email protected]
ACS will always check its internal user database first before sending authentication parameters (username/password) off to a configured external server.
All you need to do is add the static username/password into the ACS user database, the application will then be able to use that. When any "user" connects in, ACS won't find that userid in its internal database and will then go and send the credentials off to the external RSA server just like it is now.
Similar Messages
-
Tacacs problem with ACS 4.2 NDG and shell authorization sets
Hi all,
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
Thanks everyone....Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
Thanks,
Tarik Admani -
TACACS+ problem when going via console.
Hi there,
After going through some topics and trying everything I could fine I am relaying on you all to help me further.
I have an Switch and have an AAA configured for login via ACS with AD account. All works fine via Telnet, but connected to the console, I always get to not enable prompt.
I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:
Username: admin
Password:
switch>ena
Password:
% Error in authentication.
switch>
Pasted below you can find my current config regarding the login methods:
aaa new-model
aaa authentication fail-message ^C
User Authentication has failed. If you are not an authorized user,
please disconnect immediately.
Any unauthorized access attempts will be investigated and will be
subject to prosecution under local laws and ordinances.
^C
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 console group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
line con 0
login authentication console
stopbits 1
line vty 0 4
password 7 02115C0918030C71424A1A
line vty 5 15
password 7 0718791E5D0C1A55191618
Anybody any suggestions for me to try out?Jorge
There are a couple of aspects of your situation which I am puzzled about. Your post talks about logging in and seems to indicate that you are logging in using a local account. But the config is quite clear that TACACS is the primary authentication method. Is the TACACS server running and is the router using TACACS?
If the TACACS server is running and is communicating with the router, I am guessing that the local user ID is also a user ID that is configured in TACACS. This would explain why authentication would work. Can you clarify this? And if this is the case I would guess that the user ID is not configured in TACACS to have enable mode access.
On the possibility that the router is not communicating with the TACACS server I would suggest that you try using the enable secret (or enable password - which ever you have configured) rather than the user password at the prompt for enable mode.
The other part of your question is more clear. Your question says that when you login through vty you go straight to enable mode but on the console you go to privilege level 1. This is intentional behavior on the router. Going straight into enable mode is a function of authorization (in addition to authentication). And by default Cisco does this for vty and does not do this for the console (the danger of locking yourself out of the router if something is misconfigured is significant). If you are confident of the configuration and want to go directly into enable mode on the console you can use this (hidden) command under line con 0:
aaa authorization console
HTH
Rick -
Dynamic IP/Tacacs+ problem
Hi,
I have several sites using Cisco 877 routers connecting to the Internet through a broadband connection. The ISP is giving us a dynamic ip to the routers. I want to reach an ACS server (using Dynamic DNS) to authenticate users to have access to the internet.
Can the router be configured to look for the Tacacs server using the server domain (www.whatever.com), instead of the ip address? If so, how?
Any help will be very much appreciated.
Regards,
EduardoYou may consider using a dynamically negotiated IPsec tunnel and use the local ethernet on the router (mostly a private IP) to authenticate. You can force the interface to be used for authentication using the command:
ip radius source-interface ...
In that way, you will always have a unique ip for authentication.
Regards,
Leo -
Tacacs+ problem with ACS 5.2
I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
Switch#
6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
Your kind help will be highly appreciated.Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
YOu can go to "monitoring and Report" on ACS to check the log to see what happened. -
Dear ALL,
we have some trouble with TACACS on the CSS. We have configured all relevant stuff on the box, but we will receive no successfull replay from the Server, when we use our RADIUS Server then the reply will be done very nice and successfully. The Setup is the easiest way the Server will be in the same subnet as the CSS. ANy hints or tricks ?
The log from CSS is this :
SEP 5 02:59:28 1/1 9 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b07
SEP 5 02:59:28 1/1 10 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
SEP 5 02:59:28 1/1 11 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
SEP 5 02:59:28 1/1 12 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary
SEP 5 02:59:28 1/1 13 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
SEP 5 02:59:28 1/1 14 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary
SEP 5 02:59:28 1/1 15 SECURITY-7: Security Manager sending success 0 reply to caller 1c01
SEP 5 02:59:28 1/1 16 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b07
SEP 5 03:00:01 1/1 17 NETMAN-6: Session logged out due to idle timer
SEP 5 03:03:10 1/1 18 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b09
SEP 5 03:03:10 1/1 19 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
SEP 5 03:03:10 1/1 20 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
SEP 5 03:03:10 1/1 21 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary
SEP 5 03:03:10 1/1 22 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
SEP 5 03:03:10 1/1 23 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary
SEP 5 03:03:10 1/1 24 SECURITY-7: Security Manager sending success 0 reply to caller 1c01
SEP 5 03:03:10 1/1 25 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b09
SEP 5 03:03:41 1/1 26 NETMAN-6: Session logged out due to idle timerHi There,
here are the config.
we Have also tried with the quoted text password. Decrypted and encrypted. Nothing helps. Thx for a solution
virtual authentication primary tacacs
virtual authentication secondary local
cdp run
logging subsystem security level debug-7
logging subsystem netman level info-6
tacacs-server 192.168.0.5 49
tacacs-server authorize config
tacacs-server key testsecret -
ACSv3.3 problem with range if config
Hi,
i have a problem with the command on Cisco Device when i configure a range of Interface then i have this messages:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
% Authorization failed.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
EYAMPLE: 1
rw-sw-19#conf t
Enter configuration commands, one per line. End with CNTL/Z.
rw-sw-19(config)#interface range Fa0/3 - 24
rw-sw-19(config-if-range)#switchport voice vlan 1201
% Authorization failed.
% Authorization failed.
rw-sw-19(config-if-range)#power inline auto
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
rw-sw-19(config-if-range)#end
EYAMPLE: 2
rw-sw-03(config)#interface range Fa0/2 - 48
rw-sw-03(config-if-range)#switchport voice vlan 1501
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
rw-sw-03(config-if-range)#power inline auto
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
% Authorization failed.
rw-sw-03(config-if-range)#end
rw-sw-03#
I can reproduce this problem as often as you want.
Just enter the same commands.
The number of “ % Authorization failed” may differ, but you should be able to get them.
I have notice this, because I use a script to configure the VoIP VLAN on these switch.
I notice that this problem has ONLY happen on switch which are POE.
With the switch which are not POE, I did not see this problem up to now.
I look the Group setup on the ACS and see that the enable options is : Max Privilege for any AAA Client Level 15
Can it be an Tacacs problem or is this maybe a cisco device problem.
regards,
murat ayasDo we see any hits in failed attempts of ACS? When ACS denies any request we get "Command Authorization failed" but here we see % Authorization failed.
Please enable debug and see if it tries to send authorization request to ACS or not. If there are no authorization debug then issue is with device it self.
debug tacacs
debug aaa authorization
Regards,
~JG
Do rate helpful posts -
Cisco Prime Infrastructure 1.3 Tacacs+ authorization problem
Hello,
We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.
We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:
21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,
21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP
We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.
Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?
Any help in finding solution for this problem will be very appreciated.
Regards,
JelenaHi,
On the Cisco PI side we have:
1. Added Tacacs+ server under Administration > AAA > TACACS+
We have entered all required parameters
2. Enabled AAA Tacacs+ mode under Administration > AAA > AAA Mode and we have choosed on auth failure or no server response oprion.
On the ACS side:
1. Under Network Configuration > New Entry we have added Cisco PI
2. Under Interface Configuration >TACACS+ (Cisco IOS) > New Services >
we have added Prime and HTTP (we have checked box infront of these service).
3. Under Group Setup > Edit Settings > prime HTTP service we have added custom attributes that we have copied from Cisco PI Admin group. We have also exported virtual domain information from Prime and have imported them on the beggining of the custom attributes and we have also tried to place that virtual domain information on the end but we have the same behavior.
For some reason ACS doesn't know how to return authorization information.
Regards,
Jelena -
Tacacs authentication problem.
Hy,
I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
I have an ACS v.4.x to use as a Tacacs server.
In all the equipments I have aaa authentication with tacacs and vlans.
To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
With this scenario the tacacs authentication works.
If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
I do not understand why!!?
I have another problem, this time with the firewall.
I configured the tacacs and the aaa in the firewall, as advised by Cisco.
But it seems that it doesn’t work!
In this two cases only the local authentication works.
Can you help me, please?
Thanks in advance,
Rui OliveiraHy,
I am doing tests in a Lab.
So, the addresses presented here are not Internet routable.
The configuration for the tacacs at the ASA is:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
key mykey
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command LOCAL
aaa accounting enable console TACACS
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa local authentication attempts max-fail 5
aaa authorization exec LOCAL
I´m doing the tests with an ASA with a the IP address 10.183.0.61.
And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
I have another interface that a called GESTAO, with IP address 10.183.0.61.
This interface GESTAO is connected to a management vlan.
My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
I send the logging file that I take from my firewall.
Thanks,
Rui -
TACACS + Command Logging Problems
All,
Working on a problem that I'm having getting command logging setup for my switch / router infrastructure. Below is my config, authentication is working, both console & SSH. Authorization is also working. Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
I'm currently running ACS V4.1. Also, what is the difference between using named auth / accounting lists, and the default? Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
Configs:
aaa new-model
aaa authentication login SSH group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
aaa authorization exec SSH group tacacs+
aaa authorization network CONSOLE local
aaa authorization network SSH group tacacs+
aaa accounting exec SSH start-stop group tacacs+
aaa accounting commands 0 SSH start-stop group tacacs+
aaa accounting commands 1 SSH start-stop group tacacs+
aaa accounting commands 15 SSH start-stop group tacacs+
aaa accounting network SSH start-stop group tacacs+
access-list 1 permit X.X.56.0 0.0.0.255
tacacs-server host X.X.X.X key XXXXXXXXXXXXX
tacacs-server timeout 30
tacacs-server directed-request
control-plane
line con 0
session-timeout 10
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
line vty 5 15
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
Any help is appreciated.
Thanks!
JonThis looks fine:
3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
3d22h: TPLUS: processing accounting request id 52
3d22h: TPLUS: Sending AV task_id=114
3d22h: TPLUS: Sending AV timezone=UTC
3d22h: TPLUS: Sending AV service=shell
3d22h: TPLUS: Sending AV priv-lvl=15
3d22h: TPLUS: Sending AV cmd=write memory
3d22h: TPLUS: Accounting request created for 52(testusr)
3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: Would block while reading
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
3d22h: TPLUS: Received accounting response with status PASS
On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
service timestamp debug datetime localtime msec
service timestamp log datetime localtime msec -
ACS 4.2 Problem: Change of user TACACS attribute
Hi everybody,
I'm trying to change the user TACACS+ attribute and the following error happens:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://acs-lab:10765/setup.exe?
The following error was encountered:
Zero Sized Reply
Squid did not receive any data for this request.
Your cache administrator is webmaster.
Generated Mon, 27 Jul 2009 20:18:00 GMT by ubuntu-server-606.localdomain (squid/2.6.STABLE16)
The attribute that I changed in TACACS+ Settings is:
- select: Shell (exec)
- select: No callback verify - Enable
After, I click Submit and the previous error happens.
Does anybody knows why this happens?
Thanks,
J A StuchiYour local network might be using squid caching server. You get zero sized reply when there is no response from the website, squid is trying to cache.
Squid has the policy of connection timeout. May be squid was waiting for reply from your site, and after the timeout, its throwing this error.
So, the problem might be with your local network⦠and partly your webhost because your site is slow -
CiscoWorks Vs TACACS+ ??!! sw management problem--Pls help me out
Hi Gurus,
I have a query to ask on the software image management.Please help me out.
There are many cisco devices in my client place, but only one device is creating a problem.
it is 2950 catalyst switch. CiscoWorks is complaining that 'it has no image to import', when we run a job to fetch the image from the switch. but it has image under root directory of Flash. After going through RME troublshooting and tips , I came to know that the connection protocol is telnet and ssh. Then I add the following commands in TACACS+ (to allow CW2K) user which is a centralized authentication system for all user including CiscoWorks.
Cisco has mentioned this error in following URL:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod_troubleshooting_guide09186a008036dff2.html
It looks like it is having difficulty to recognize the Flash (though it shows the files in the inventory) and at the same time, I am not sure whether the commands are complete.
I allowed the following commands to be used by CiscoWorks through TACACS+:
1. copy tftp flash
2. copy flash tftp
3. erase flash
4. show version
5. show flash
Refer the URL: http://www.cisco.com/en/US/customer/products/sw/cscowork/ps2073/prod_troubleshooting_guide09186a008036dff2.html#wp1045599
Screen shot of the error and Detailed inventory report of the device are attached here.
Please help me out with your expertise whether it is a TACACS which is stopping CW2K to view the Flash and files? or it is a problem with CiscoWorks to see the Flash.This document describes the procedure to configure the CiscoWorks Hosting Solution Engine 1.8.1 (HSE) using ACS as a TACACS+/RADIUS authentication module.
ACS TACACS+ Setup for HSE
ACS RADIUS Setup for HSE
On Cisco.com, see also the Administration chapter of the User Guide for the CiscoWorks Hosting Solution Engine 1.8.1.
http://www.cisco.com/en/US/products/sw/cscowork/ps150/prod_connection_guide09186a00802b2bae.html -
Here's the config:
aaa new-model
ip tacacs source-interface Loopback0
tacacs-server host 10.1.1.100
tacacs-server directed-request
Here's the debug:
R7#test aaa group t U1 cisco new-code
Trying to authenticate with Servergroup tacacs+
*Mar 1 03:17:17.816: TPLUS: Queuing AAA Authentication request 0 for processing
*Mar 1 03:17:17.820: TPLUS: processing authentication start request id 0
*Mar 1 03:17:17.820: TPLUS: Authentication start packet created for 0(U1)
*Mar 1 03:17:17.820: TPLUS: Using server 10.1.1.100User rejected
R7#
*Mar 1 03:17:22.824: TPLUS(00000000): Select Timed out
*Mar 1 03:17:22.824: TPLUS(00000000) Error connecting to socket 0
*Mar 1 03:17:22.824: %TAC+: no address for get_server
I can't find the sys message in the doc. Any ideas?
TIADisregard....
routing problem
TPLUS(00000000) Error connecting to socket 0
Doh! -
Problems getting TACACS and SNTP to cork on CSS11500
Hi,
I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s
I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
Am I missing something obvious?
I've pasted the relevant parts of the config below
Thanks in advance,
Dom
lab-fe-2# show run
!Generated on 11/20/2009 09:40:18
!Active version: sg0820303
configure
!*************************** GLOBAL ***************************
sntp primary-server 10.52.240.1 version 3
sntp secondary-server 10.52.240.2 version 3
virtual authentication primary tacacs
virtual authentication secondary local
tacacs-server key xxxxxxxxxxxxx
tacacs-server 10.52.255.201 49
ip management route 10.52.240.0 255.255.240.0 10.55.2.252
ip route 0.0.0.0 0.0.0.0 10.55.3.254 1
!************************* INTERFACE *************************
interface e1
bridge vlan 2503
phy 100Mbits-FD
interface e2
bridge vlan 2004
phy 100Mbits-FD
interface Ethernet-Mgmt
phy 10Mbits-FD
!************************** CIRCUIT **************************
lab-fe-2# show boot
!************************ BOOT CONFIG ************************
ip address 10.55.2.245
subnet mask 255.255.255.0
primary boot-file sg0820303
primary boot-type boot-via-disk
gateway address 10.55.2.252
lab-fe-2#
lab-fe-2# show tacacs-server
Per-Server Status:
IP/Port State Primary Authen. Author. Account
10.52.255.201:49 Dead No 0 0 0
Totals: 0 0 0
Per-Server Configuration:
IP/Port Key Server Timeout Server Frequency
10.52.255.201:49 Not Configured None None
Global Configuration Parameters:
Global Timeout: 5
Global KAL Frequency: 5
Global Key: Configured
Authorize Config Commands: No
Authorize Non-Config Commands: No
Account Config Commands: No
Account Non-Config Commands: No
Send Full Command: Yes
end of buffer.
lab-fe-2#
lab-fe-2#
lab-fe-2#
lab-fe-2#I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server
over the management interface unless the TACACS server is located on the same subnet as the management interface;
The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.
Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.
I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.
The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.
Cheers, Dom -
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts**
Maybe you are looking for
-
Ssrs 2008 r2 set up a 'toggle' link
In an SSRS 2008 r2 existing dashboard, I want to allow the user to click on a link and then a list of further links can be displayed for the user to pick from. Basically I want the sublinks not to be displayed until they link on the 'main' link is se
-
Price difference between the requisition and the order
Hi All, There is new functionality in ERP6 that checks the difference in price price between the requisition and the order. The configuration is under Purchase Requisition -> Tolerance Limits -> Define Tolerance Keys. This is very useful functionalit
-
Deploying Applications to Netweaver CE Application Server
Hi, How does one deploy an application archive (SCA) to a Netweaver CE application server, <i>without</i> having to use the Netweaver Development Studio? Walter
-
I have a Mini 110, asked for Bios Password every time power on after I fix CMOS battery, I input password 3 times tu got a error code # 2MC8461J8K. I need Masterpassword for this computer please, Thanks This question was solved. View Solution.
-
No matter how I set it up, iCal seems to double my entries
How do I keep from getting two or three copies of every entry in my calendar? I have a MBP, iPad 2, iPod Touch syncing calendar through icloud