topic Trouble with AAA IOS XR in Network Access Control

Trouble with AAA IOS XR

MARIA EUGENIA RUIZ — Tue, 26 Mar 2019 00:30:22 GMT

We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:

Configuring AAA Services on

Cisco ASR 9000 Series Routers

but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are:

The config of tacacs:

tacacs source-interface Loopback10 vrf OAM

tacacs-server host 150.119.1.110 port 49

key 7 0505110E317F0E

the config of AAA:

aaa authorization commands console none

aaa authentication login console local

aaa authentication login default group tacacs+ local line

Communication up between the tacacs+ and the ASR:

ASR TO TACACS+

RP/0/RSP0/CPU0:ED_MEX_1#ping vrf OAM 150.119.1.110

Tue Jun 11 13:33:27.477 UTC

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.119.1.110, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

RP/0/RSP0/CPU0:ED_MEX_1#

TACACS+ TO ASR:

tacacs@tacti:~$ ping 172.16.162.1

PING 172.16.162.1 (172.16.162.1) 56(84) bytes of data.

64 bytes from 172.16.162.1: icmp_req=1 ttl=252 time=1.35 ms

64 bytes from 172.16.162.1: icmp_req=2 ttl=252 time=0.605 ms

64 bytes from 172.16.162.1: icmp_req=3 ttl=252 time=0.587 ms

64 bytes from 172.16.162.1: icmp_req=4 ttl=252 time=0.787 ms

64 bytes from 172.16.162.1: icmp_req=5 ttl=252 time=0.649 ms

RP/0/RSP0/CPU0:ED_MEX_1(config)#do sh tacac
Tue Jun 11 19:41:23.918 UTC

Server: 150.119.1.110/49 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0
status=up single-connect=false

RP/0/RSP0/CPU0:ED_MEX_1(config)#

RP/0/RSP0/CPU0:ED_MEX_1#sh ver

Tue Jun 11 13:37:26.105 UTC

Cisco IOS XR Software, Version 4.2.3[Default]

ED_MEX_1 uptime is 3 days, 23 hours, 42 minutes

System image file is "disk0:asr9k-os-mbi-4.2.3.CSCuc79084-1.0.0/0x100305/mbiasr9k-rsp3.vm "

cisco ASR9K Series (Intel 686 F6M14S4) processor with 6291456K bytes of memory.

Intel 686 F6M14S4 processor at 2128MHz, Revision 2.174

ASR 9010 AC Chassis with PEM Version 2

4 Management Ethernet

20 DWDM controller(s)

20 TenGigE

20 WANPHY controller(s)

40 GigabitEthernet

503k bytes of non-volatile configuration memory.

6271M bytes of hard disk.

11817968k bytes of disk0: (Sector size 512 bytes).

11817968k bytes of disk1: (Sector size 512 bytes).

we need a little help please.

Thanks

Maru

Trouble with AAA IOS XR

kcnajaf — Wed, 12 Jun 2013 01:46:33 GMT

Hi Maru,

Do you see any logs on the TACACS+ server? Which version of AAA server are you using?Also do you have any ACL which is set on VTY?

Regards

Najaf

Please rate when applicable or helpful !!!

Trouble with AAA IOS XR

MARIA EUGENIA RUIZ — Wed, 12 Jun 2013 02:16:14 GMT

hi Najaf, thanks for reply

The version is:

tacacs@tacti:/etc/tacacs+/bin$

tac_plus -v

tac_plus version F4.0.4.19

ACLS

FIONBIO

LIBWRAP

LINUX

LITTLE_ENDIAN

LOG_DAEMON

MAXSESS

MAXSESS_FINGER

PAM

NO_PWAGE

REAPCHILD

RETSIGTYPE RETSIGTYPE

SHADOW_PASSWORDS

SIGTSTP

SIGTTIN

SIGTTOU

SO_REUSEADDR

STRERROR

TAC_PLUS_PORT

UENABLE

__STDC__

tacacs@tacti:/etc/tacacs+/bin$

the tacacs+ server does not known about the asr trying to connect, the tacacs+ server doen not reflects any message in its debug.

There is not any access list over the line vty.

Maru.

Trouble with AAA IOS XR

kcnajaf — Wed, 12 Jun 2013 04:00:51 GMT

Hi Maru,

Personally i have not worked on UNIX based tacacs:-(. Still it would worth checking below points.

> Your sourcing the tacacs traffic from loopback 10. So have you checked pinging the tacacs server with source as loopback10

> I assume you already added loopback 10 ip address as a aaa client on your tacacs box.

> sh tacacs output shows there is no packets send or received. Have you checked with "debug aaa authetication" and see if there is any usual infromation which you are able to get.

Regards

Najaf

Please rate when applicable or helpful !!!

Re: Trouble with AAA IOS XR

Jatin Katyal — Wed, 12 Jun 2013 08:44:01 GMT

If you're not seeing any message or logs on tacacs server then it's highly possible that your tacacs is unreachable via Loopback10 or the TCP port 49 is blocked somewhere in between. What all devices we have in the route? Is there any firewall? Was this working before?

Please turn on the following debugs:

debug tacacs

debug aaa authen

Run the command from ASR CLI (if available)

test aaa group tacacs+ username password leg

Paste the output here.

Jatin Katyal
*Do rate helpful posts*

Trouble with AAA IOS XR

MARIA EUGENIA RUIZ — Wed, 12 Jun 2013 14:21:47 GMT

Hi Najaf,

sure we tryed the ping since the loop10, and it works:!

RP/0/RSP0/CPU0:ED_MEX_1#sh run int loop 10
Wed Jun 12 09:11:57.314 UTC
interface Loopback10
vrf OAM
ipv4 address 172.16.162.1 255.255.255.255
!

RP/0/RSP0/CPU0:ED_MEX_1#ping vrf OAM
Wed Jun 12 09:12:03.304 UTC
Protocol [ipv4]:
Target IP address: 150.119.1.110
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands? [no]: y
Source address or interface: 172.16.162.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes? [no]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.119.1.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RP/0/RSP0/CPU0:ED_MEX_1#

in the case of the tacacs box, there is communication between them so we don´t have to do anything else, only if the tacacs box doesnot see the ASR we insert te net to the box.

the tacacs+ server doesnot reflect any debug, but the asr send all this message:

RP/0/RSP0/CPU0:Jun 11 23:12:12.284 : exec[65847]: Getting details on ttyname '/dev/vty1'

RP/0/RSP0/CPU0:Jun 11 23:12:12.286 : exec[65847]: Failed to read vty1/username from SysDB

RP/0/RSP0/CPU0:Jun 11 23:12:12.361 : exec[65847]: Composing an authentication message

RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Authentication not configured, for this line, using 'default' methodlist

RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Reading SysDB path 'authentication/login/default' ...

RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Using authentication methodlist 'default'

RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Looking host address in ________/________/vty/1/state/connection/host

RP/0/RSP0/CPU0:Jun 11 23:12:12.367 : exec[65847]: Looking host family in ________/________/vty/1/state/connection/family

RP/0/RSP0/CPU0:Jun 11 23:12:12.368 : exec[65847]: Got remote address 172.16.14.5 (length 11)

RP/0/RSP0/CPU0:Jun 11 23:12:12.368 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)

RP/0/RSP0/CPU0:Jun 11 23:12:12.368 : exec[65847]: Sending the authentication request message to server

RP/0/RSP0/CPU0:Jun 11 23:12:12.369 : exec[65847]: Interpreting the authentication reply from the server

RP/0/RSP0/CPU0:Jun 11 23:12:12.369 : exec[65847]: Reply buffer length: 348 - 24 = 324 bytes

RP/0/RSP0/CPU0:Jun 11 23:12:12.369 : exec[65847]: Unpacking the AV list from the reply data

RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Extracting results from the server's reply

RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Authenticating user:

RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Authentication status: GETUSER

RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Malloc prompt length=37

RP/0/RSP0/CPU0:Jun 11 23:12:21.722 : exec[65847]: Composing an authentication message

RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Authentication not configured, for this line, using 'default' methodlist

RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Reading SysDB path 'authentication/login/default' ...

RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Using authentication methodlist 'default'

RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)

RP/0/RSP0/CPU0:Jun 11 23:12:21.726 : exec[65847]: Sending the authentication request message to server

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Interpreting the authentication reply from the server

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Reply buffer length: 388 - 24 = 364 bytes

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Unpacking the AV list from the reply data

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Extracting results from the server's reply

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Authenticating user: ASRadmin

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Authentication status: GETPASS

RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Malloc prompt length=10

we tryed adding more sentenses of aaa but it does not work yet.

Maru

Trouble with AAA IOS XR

MARIA EUGENIA RUIZ — Wed, 12 Jun 2013 14:52:17 GMT

Hi Jatin Katyal,

between both of them, tacacs+ and ASR communication exists, i´ve put the pings up in the previous answers.

There is not any firewall, this was not working before, is a new implementation of integration of ASR 9010.

when we put the config of aaa authentication login default group tacacs+ we receibe this message, in wich does not appear the need of ingress the username and password:

GW_MEX_2#telnet 172.16.14.6
Trying 172.16.14.6 ... Open

% Authentication failed

[Connection to 172.16.14.6 closed by foreign host]

the config of aaa that we have at this moment is:

tacacs source-interface Loopback10 vrf OAM

tacacs-server host 150.119.1.110 port 49

key 7 11070E0407214B

timeout 30

single-connection

aaa group server tacacs+ maru

server 150.119.1.110

aaa authentication login default group tacacs+

aaa authentication login default group root-system

aaa authentication login default local

aaa authentication login default line

RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Reading SysDB path 'authentication/login/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Using authentication methodlist 'default'

RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)

RP/0/RSP0/CPU0:Jun 11 21:55:19.294 : exec[65847]: Sending the authentication request message to server

RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Interpreting the authentication reply from the server

RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Reply buffer length: 504 - 24 = 480 bytes

RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Unpacking the AV list from the reply data

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Extracting results from the server's reply

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Authenticating user: ASRadmin

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Authentication status: PASS

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Read task map size: 72 ...

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Read user group string, length: 12

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'ASRadmin' from '172.16.14.5' on 'vty1'

RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Getting details on ttyname '/dev/vty1'

RP/0/RSP0/CPU0:Jun 11 21:55:19.301 : exec[65847]: Reading SysDB path 'authorization/exec/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:19.304 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)

RP/0/RSP0/CPU0:Jun 11 21:55:19.307 : exec[65847]: Reading SysDB path 'accounting/exec/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:19.310 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)

RP/0/RSP0/CPU0:Jun 11 21:55:19.324 : exec[65847]: Getting details on ttyname '/dev/vty1'

RP/0/RSP0/CPU0:Jun 11 21:55:19.327 : exec[65847]: Username: ASRadmin, len 9

RP/0/RSP0/CPU0:Jun 11 21:55:24.542 : config[65844]: Reading SysDB path 'authorization/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:24.546 : config[65844]: Reading SysDB path 'accounting/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:24.622 : nvgen[65850]: Getting details on ttyname '/dev/vty0'

RP/0/RSP0/CPU0:Jun 11 21:55:24.625 : nvgen[65850]: Username: ASRadmin, len 9

RP/0/RSP0/CPU0:Jun 11 21:55:41.447 : config[65844]: Reading SysDB path 'authorization/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:41.451 : config[65844]: Reading SysDB path 'accounting/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:47.399 : config[65844]: Reading SysDB path 'authorization/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:47.403 : config[65844]: Reading SysDB path 'accounting/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:54.120 : config[65844]: Reading SysDB path 'authorization/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:55:54.124 : config[65844]: Reading SysDB path 'accounting/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:56:09.636 : config[65844]: Reading SysDB path 'authorization/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:56:09.640 : config[65844]: Reading SysDB path 'accounting/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:57:12.724 : config[65844]: Reading SysDB path 'authorization/commands/default' ...

RP/0/RSP0/CPU0:Jun 11 21:57:12.728 : config[65844]: Reading SysDB path 'accounting/commands/default' ...

tacacs source-interface Loopback10 vrf OAM
tacacs-server host 150.119.1.110 port 49
key 7 11070E0407214B
timeout 30
single-connection

aaa group server tacacs+ maru
server 150.119.1.110

and we put and erase this lines of aaa:

aaa authentication login default group tacacs+
aaa authentication login default group root-system
aaa authentication login default local
aaa authentication login default line

the debug of authentication is: