topic Re: Tacacs authentication problem. in Network Access Control

Tacacs authentication problem.

rcapao — Mon, 11 Mar 2019 02:05:35 GMT

Hy,

I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).

All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.

I have an ACS v.4.x to use as a Tacacs server.

In all the equipments I have aaa authentication with tacacs and vlans.

To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.

With this scenario the tacacs authentication works.

If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.

I do not understand why!!?

I have another problem, this time with the firewall.

I configured the tacacs and the aaa in the firewall, as advised by Cisco.

But it seems that it doesn’t work!

In this two cases only the local authentication works.

Can you help me, please?

Thanks in advance,

Rui Oliveira

Tacacs authentication problem.

maldehne — Wed, 16 May 2012 04:07:50 GMT

What can you see in the failed attempts when are you trying to login to the swtich?

Also what can you see in the failed attempts when you are not able to logint to the FW?

Re: Tacacs authentication problem.

rcapao — Fri, 18 May 2012 16:12:38 GMT

Hy,

I am doing tests in a Lab.

So, the addresses presented here are not Internet routable.

I´m doing the tests with a switch that has the IP address 10.183.0.60.

My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.

I send the logging file that I take from my firewall.

Thanks,

Rui

Re: Tacacs authentication problem.

rcapao — Fri, 18 May 2012 22:47:52 GMT

Hy,

I am doing tests in a Lab.

So, the addresses presented here are not Internet routable.

The configuration for the tacacs at the ASA is:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (OUT_MANGMT) host 172.16.20.10

key mykey

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authorization command LOCAL

aaa accounting enable console TACACS

aaa accounting telnet console TACACS

aaa accounting ssh console TACACS

aaa local authentication attempts max-fail 5

aaa authorization exec LOCAL

I´m doing the tests with an ASA with a the IP address 10.183.0.61.

And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.

Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .

I have another interface that a called GESTAO, with IP address 10.183.0.61.

This interface GESTAO is connected to a management vlan.

My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.

I send the logging file that I take from my firewall.

Thanks,

Rui

Re: Tacacs authentication problem.

maldehne — Sun, 20 May 2012 09:48:15 GMT

Can you please capture sniffer trace while the issue is happenning on the ACS side.

Also provide the tacacs+ key to decrypt the tacaacs+ payload.

Re: Tacacs authentication problem.

rcapao — Mon, 21 May 2012 10:05:46 GMT

Hy,

I cannot do that, because de ACS is in a network that I do not control.

So, it will be very, very, difficult to sniff the traffic for that network, particularly to and from the ACS.

But, I think this problem in not in the ACS. Because if I put all the switch doing authentication without crossing over the firewall (using the bypass) I will have no problem in authenticating with the tacacs server.

In the other end, if I use the firewall to cross over to the tacacs server, I will not succeed in authenticating with that server.

With these observations, I take that I could have some kind of problem in the ASA that do not let me to authenticate properly with the tacacs server.

If I am doing something wrong, what is it? It´s configuration? It´s network design?

Can someone help me with this?

Thanks in advance,

Rui