topic IOS 15 not working with my TACACS server in Network Access Control

IOS 15 not working with my TACACS server

GRANT3779 — Mon, 11 Mar 2019 03:36:27 GMT

Hi All,

I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..

This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..

I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...

Am I missing something?

aaa new-model

aaa group server tacacs+ ACS1

server name AUTH

aaa authentication login ACS-List group ACS1 local

aaa authorization exec ACS-List group ACS1 local

aaa accounting commands 15 ACS-List

action-type start-stop

group ACS1

aaa session-id common

acacs-server directed-request

tacacs server AUTH

address ipv4 172.x.x.x

key 7 xxxxxxxx

and on my VTY Lines...

privilege level 15

password 7 151619050826222A2F

authorization exec ACS-List

accounting commands 15 ACS-List

accounting exec ACS-List

length 0

transport input telnet ssh

IOS 15 not working with my TACACS server

Jatin Katyal — Tue, 02 Jul 2013 14:22:52 GMT

The config seems to be fine. What is the full code on which you are experincing this issue with tacacs?

~BR
Jatin Katyal

**Do rate helpful posts**

IOS 15 not working with my TACACS server

GRANT3779 — Tue, 02 Jul 2013 14:31:26 GMT

It's

Version 15.1(4)M6, RELEASE SOFTWARE (fc2)

ACS 4.2

IOS 15 not working with my TACACS server

Jatin Katyal — Tue, 02 Jul 2013 14:47:02 GMT

As you're getting prompt for local credentials, that indicates tacacs is not reachable from the device in question. Are you able to ping tacacs server? Could you please run the debugs and share:

debug aaa authen

debug tacacs

~BR
Jatin Katyal

**Do rate helpful posts**

IOS 15 not working with my TACACS server

GRANT3779 — Tue, 02 Jul 2013 15:03:54 GMT

I ran those debugs, then tried to login on another telnet session -

Jul 2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing

Jul 2 15:01:57.278: TPLUS: processing accounting request id 1781

Jul 2 15:01:57.278: TPLUS: Sending AV task_id=1997

Jul 2 15:01:57.278: TPLUS: Sending AV timezone=SIN

Jul 2 15:01:57.278: TPLUS: Sending AV service=shell

Jul 2 15:01:57.278: TPLUS: Sending AV start_time=1372777317

Jul 2 15:01:57.278: TPLUS: Sending AV priv-lvl=15

Jul 2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor

Jul 2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)

Jul 2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1

Jul 2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout

Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2

Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request

Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1

Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading

Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1

Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes

Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1

Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254

Jul 2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet

Jul 2 15:02:11.658: AAA/BIND(000006F9): Bind i/f

Jul 2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'

Jul 2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing

Jul 2 15:02:11.658: TPLUS: processing authentication start request id 1785

Jul 2 15:02:11.662: TPLUS: Authentication start packet created for 1785()

Jul 2 15:02:11.662: TPLUS: Using server 172.x.x.x

Jul 2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout

Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2

Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request

Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1

Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading

Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1

Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254

Jul 2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

Jul 2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'

Jul 2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing

Jul 2 15:02:24.474: TPLUS: processing authentication start request id 1785

Jul 2 15:02:24.474: TPLUS: Authentication start packet created for 1785()

Jul 2 15:02:24.474: TPLUS: Using server 172.x.x.x

Jul 2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout

Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2

Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request

Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1

Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading

Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1

Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254

Jul 2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

IOS 15 not working with my TACACS server

GRANT3779 — Tue, 02 Jul 2013 15:04:59 GMT

I'm being prompted for username / password but when I try my AD account it fails. If I try the local credentials, it works.

IOS 15 not working with my TACACS server

GRANT3779 — Thu, 04 Jul 2013 11:16:42 GMT

Hi,

Got this working - the Issue was that the routers in question were vpn endpoints using GRE/IPSEC. When contacting TACAS server it sources from the tunnel subnet and not the actual physical Interface subnet. I added the subnet to TACACS group and now works fine.

IOS 15 not working with my TACACS server

Jatin Katyal — Thu, 04 Jul 2013 11:19:42 GMT

Thanks for keep this thread updated.

~BR
Jatin Katyal

**Do rate helpful posts**

IOS 15 not working with my TACACS server

ccnwankpa — Tue, 17 Dec 2013 15:39:57 GMT

Hello, it seems you used the "

ip tacacs source-interface " command to source that traffic from the proper interface. let me know if that was the case.