topic Re: After TACACS configured, Authenticate successfully but not a in Application Networking

After TACACS configured, Authenticate successfully but not able to go in config mode.

ranemilind — Sun, 19 Sep 2010 11:15:13 GMT

Hi All,

I Have Cisco 4710 ACE, and configured TACACS on ACE for authentication and accounting. Configuration paste below.

I am able to authenticate with ACS server 5.1 but not able to go in config mode of ACE 4710.

Debug output attached.

Need help on this.

tacacs-server key 7 "wwxfeootjv"

tacacs-server timeout 60

tacacs-server host 128.9.31.70 key 7 "wwxfeootjv"

aaa group server tacacs+ TACACS_Group_Server

server 128.9.31.70

ntp server 128.9.24.58

aaa authentication login default group TACACS_Group_Server

aaa accounting default group TACACS_Group_Server

Below Logs are coming on Device.

Sep 19 2010 16:35:55 : %ACE-6-302022: Built TCP connection 0x3853a for vlan1000:172.24.24.70/16477 (172.24.24.70/16477) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:35:55 : %ACE-6-302023: Teardown TCP connection 0x3853a for vlan1000:172.24.24.70/16477 (172.24.24.70/16477) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 743 TCP FINs

Sep 19 2010 16:35:58 : %ACE-6-302022: Built TCP connection 0x38570 for vlan1000:172.24.24.70/16480 (172.24.24.70/16480) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:35:58 : %ACE-6-302023: Teardown TCP connection 0x38570 for vlan1000:172.24.24.70/16480 (172.24.24.70/16480) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 742 TCP FINs

Sep 19 2010 16:37:51 : %ACE-6-302022: Built TCP connection 0x38aff for vlan1000:172.24.24.70/16545 (172.24.24.70/16545) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:37:51 : %ACE-6-302023: Teardown TCP connection 0x38aff for vlan1000:172.24.24.70/16545 (172.24.24.70/16545) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 736 TCP FINs

Sep 19 2010 16:38:21 : %ACE-6-302022: Built TCP connection 0x38c9d for vlan1000:172.24.24.70/16559 (172.24.24.70/16559) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:21 : %ACE-6-302022: Built TCP connection 0x38c9f for vlan1000:172.24.24.70/16560 (172.24.24.70/16560) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:21 : %ACE-6-302023: Teardown TCP connection 0x38c9d for vlan1000:172.24.24.70/16559 (172.24.24.70/16559) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 722 TCP FINs

Sep 19 2010 16:38:21 : %ACE-6-302023: Teardown TCP connection 0x38c9f for vlan1000:172.24.24.70/16560 (172.24.24.70/16560) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 788 TCP FINs

Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38ce1 for vlan1000:172.24.24.70/16565 (172.24.24.70/16565) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38cff for vlan1000:172.24.24.70/16566 (172.24.24.70/16566) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38ce1 for vlan1000:172.24.24.70/16565 (172.24.24.70/16565) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 661 TCP FINs

Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38cff for vlan1000:172.24.24.70/16566 (172.24.24.70/16566) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 712 TCP FINs

Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38cf5 for vlan1000:172.24.24.70/16567 (172.24.24.70/16567) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38cf5 for vlan1000:172.24.24.70/16567 (172.24.24.70/16567) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 724 TCP FINs

Sep 19 2010 16:39:41 : %ACE-6-302022: Built TCP connection 0x390a1 for vlan1000:172.24.24.70/3883 (172.24.24.70/3883) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:39:41 : %ACE-6-302023: Teardown TCP connection 0x390a1 for vlan1000:172.24.24.70/3883 (172.24.24.70/3883) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0

0:00 bytes 737 TCP FINs

Sep 19 2010 16:40:20 : %ACE-6-302022: Built TCP connection 0x3929b for vlan1000:172.24.24.70/3902 (172.24.24.70/3902) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:40:20 : %ACE-6-302022: Built TCP connection 0x392ab for vlan1000:172.24.24.70/3903 (172.24.24.70/3903) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:40:20 : %ACE-6-302023: Teardown TCP connection 0x3929b for vlan1000:172.24.24.70/3902 (172.24.24.70/3902) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0

0:00 bytes 722 TCP FINs

Sep 19 2010 16:40:20 : %ACE-6-302023: Teardown TCP connection 0x392ab for vlan1000:172.24.24.70/3903 (172.24.24.70/3903) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0

0:00 bytes 791 TCP FINs

Sep 19 2010 16:45:17 : %ACE-6-302022: Built TCP connection 0x3a127 for vlan1000:172.24.24.70/53389 (172.24.24.70/53389) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:45:17 : %ACE-6-302023: Teardown TCP connection 0x3a127 for vlan1000:172.24.24.70/53389 (172.24.24.70/53389) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 723 TCP FINs

Sep 19 2010 16:46:11 : %ACE-6-302022: Built TCP connection 0x3a3b3 for vlan1000:172.24.24.70/53414 (172.24.24.70/53414) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:11 : %ACE-6-302022: Built TCP connection 0x3a3c3 for vlan1000:172.24.24.70/53415 (172.24.24.70/53415) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:11 : %ACE-6-302023: Teardown TCP connection 0x3a3b3 for vlan1000:172.24.24.70/53414 (172.24.24.70/53414) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 722 TCP FINs

Sep 19 2010 16:46:11 : %ACE-6-302023: Teardown TCP connection 0x3a3c3 for vlan1000:172.24.24.70/53415 (172.24.24.70/53415) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 788 TCP FINs

Sep 19 2010 16:46:23 : %ACE-6-302022: Built TCP connection 0x3a467 for vlan1000:172.24.24.70/53422 (172.24.24.70/53422) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:23 : %ACE-6-302022: Built TCP connection 0x3a469 for vlan1000:172.24.24.70/53423 (172.24.24.70/53423) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:23 : %ACE-6-302023: Teardown TCP connection 0x3a467 for vlan1000:172.24.24.70/53422 (172.24.24.70/53422) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 661 TCP FINs

Sep 19 2010 16:46:23 : %ACE-6-302023: Teardown TCP connection 0x3a469 for vlan1000:172.24.24.70/53423 (172.24.24.70/53423) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 712 TCP FINs

Regards

MS.

Re: After TACACS configured, Authenticate successfully but not a

Gilles Dufour — Mon, 20 Sep 2010 07:24:41 GMT

Do a 'show user' after you login and check the "role" thatr you have.

If you're not admin user you can't get in config mode.

Don't forget you need to set the ACS to return the role of the user.

I'm usiing tac_plus and here is the config I need to use :

user=gdufour {
        default service = deny
        pap = cleartext "xxxxx"
        service = exec {
                optional shell:Admin="Admin default-domain"
        }
}

Gilles.

Re: After TACACS configured, Authenticate successfully but not a

ranemilind — Mon, 20 Sep 2010 08:15:20 GMT

thank you gills for reply. I am using ACS 5.1 Appliance, can you please help for ACS 5.1

I also check AV in this which is not editable.

Thank You

Milind Rane

Re: After TACACS configured, Authenticate successfully but not a

Gilles Dufour — Mon, 20 Sep 2010 09:44:41 GMT

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787

To configure the TACACS+ role and domain settings on Cisco Secure ACS, perform the following steps:

Step 1 Go to the Interface Configuration section of the Cisco Secure ACS HTML interface and access the TACACS+ (Cisco IOS) page. Perform the following actions:

a. Under the TACACS+ Services section of the page, the User column or the Group column depending on your configuration, check the Shell (exec) check box.

b. Under the Advanced Configuration Options section of the page, check the Display a window for each service selected in which you can enter customized TACACS+ attributes check box.

c. Click Submit.

Step 2 Go to the Advanced Options page of the Interface Configuration section of the Cisco Secure ACS HTML interface. Perform the following actions:

a. Check the Per-user TACACS+/RADIUS Attributes check box.

b. Click Submit.

Step 3 Go to the User Setup section of the Cisco Secure ACS HTML interface and double-click the name of an existing user that you want to define a user profile attribute for virtualization. The User Setup page appears.

Step 4 Under the TACACS+ Settings section of the page, configure the following settings:

•Check the Shell (exec) check box.

•Check the Custom attributes check box.

•In the text box under the Custom attributes, enter the user role and associated domain for a specific context in the following format:

shell:=  ...

For example, to assign the selected user to the C1 context with the role ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1 DOMAIN1.

You can also substitute an asterisk (*) for the equals sign (=) as follows:

shell:*  ...

Use the above shell string if you are also using Cisco IOS command authorization.

Step 5 Under the Checking This option Will PERMIT all UNKNOWN Services section of the page, check the Default (Undefined) Services check box to permit unknown services.

Step 6 Click Submit when you finish configuring the TACACS+ role and domain settings.

For example, if USER1 is assigned the role ADMIN and the domain MYDOMAIN1 (where shell:Admin=ADMIN MYDOMAIN1), then one of the following can occur:

•If USER1 logs in through the Admin context, that user is automatically assigned the Admin role and the MyDomain1 domain.

•If USER1 logs in through a different context, that user is automatically assigned the default role (Network-Monitor) and the default domain (default-domain). In this case, the user profile attribute is not obtained from the TACACS+ server during authentication.

Gilles.

Re: After TACACS configured, Authenticate successfully but not a

ranemilind — Tue, 21 Sep 2010 05:20:16 GMT

Hi Gills,

Your below instructions seems to be for ACS 3.1 version not for ACS 5.1 appliance.

But i did changes in required fields.

I Created one more rule in Default Device Admin:

In which i customized and added:

protocol: tacacs

identity group: Global Admins

NDG:Location:

Compound Conditions: with shell:Admin*Admin default-domain and without shell:Admin*Admin default-domain

Shell Profile:

Command Set

Hit Counts

when i select compound condition with shell:Admin*Admin default-domain then i am not able to authenticate as not seeing hitcount in loggs.

but when select compund condition any then i am able to authenticate but not able to go in config mode as it is showing network monitor user on ACE.

Attached files for your ref.

If you know about ACS 5.1 for this issue please help.

Re: After TACACS configured, Authenticate successfully but not a

Gilles Dufour — Tue, 21 Sep 2010 10:05:22 GMT

There is a bug in ACS 5.1

CSCtd24949 Tacacs authorization failure when authen_type=0

Gilles.