topic SSH Access to the ACS 5.1 in Network Access Control

SSH Access to the ACS 5.1

sidcracker — Mon, 11 Mar 2019 00:46:40 GMT

Is there any requirement of installing any certificates on the ACS if authentication is performed from a SSH client.

I am getting the below messages when I access from a SSH client

1. Bind i/f

2. Pick method list default

and then it just fails to authenticate, This works well with telnet.

Thanks

Re: SSH Access to the ACS 5.1

Jatin Katyal — Tue, 01 Feb 2011 05:02:57 GMT

STRANGE! ACS 5.x doesn't support TELNET.

No you don't need to generate RSA key or need to install any certificate prior to access ACS 5 with SSH client. Its by-default enabled on ACS 5.x

To access the ACS CLI environment, use any SSH client that supports SSH v2.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1114037

Also, ACS access is not configured via AAA login method. You must be accessing some other device in your network. Please verify the ACS ip address.

Regds, Jatin

Do rate helpful posts~

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 06:26:12 GMT

Hi Jatin,

I didn't mean accessing the ACS via ssh, I meant performing authentication from a router via ssh.

Anyhow looks like both telnet and ssh doesn't work. I gave the same commands for the other device (switch) and it authenticated with TACACS. Whereas the router just looks at the default list and stops there, doesn't even look at the TACACS part.

Sending the error message in the next mail

Thanks

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 06:35:13 GMT

.Feb 1 06:03:31.297: TAC+: 10.72.27.3 req=61AB3EC Qd id=1018722310 ver=192 handle=0x5FFDCC8 expire=5 AUTHOR/START queued

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 id=1018722310 wrote 99 of 99 bytes

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 req=61AB3EC Qd id=1018722310 ver=192 handle=0x5FFDCC8 expire=4 AUTHOR/START sent

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 read END-OF-FILE

.Feb 1 06:03:31.397: TAC+: req=61AB3EC Tx id=1018722310 ver=192 handle=0x5FFDCC8 expire=4 AUTHOR/START processed

.Feb 1 06:03:31.397: TAC+: periodic timer stopped (queue empty)

.Feb 1 06:03:31.397: TAC+: Closing TCP/IP 0x5FFDCC8 connection to 10.72.27.3/49

.Feb 1 06:03:51.354: AAA/BIND(000001CD): Bind i/f

.Feb 1 06:03:51.354: AAA/AUTHEN/LOGIN (000001CD): Pick method list 'default'

.Feb 1 06:03:51.354: TPLUS: Queuing AAA Authentication request 461 for processing

.Feb 1 06:03:51.354: TPLUS: processing authentication start request id 461

.Feb 1 06:03:51.354: TPLUS: Authentication start packet created for 461()

.Feb 1 06:03:51.354: TPLUS: Using server 10.72.27.3

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT/61AB6DC: Started 5 sec timeout

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT: socket event 2

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT: wrote entire 34 bytes request

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/READ: Would block while reading

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: read 0 bytes

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: errno 254

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/61AB6DC: Processing the reply packet

Sent from my iPhone

Re: SSH Access to the ACS 5.1

saxenanitesh8522 — Tue, 01 Feb 2011 07:15:46 GMT

Hi sid,

what is syntax and commands you are using for the authenication for router/switch ssh?

If you are using default method it will take preference over named- method list. Just give the AAA commands you are using for authenication.

Nitesh

CCIE Security

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 07:54:10 GMT

Aaa new-model

aaa authentication login default group TACACS+ local

aaa authorization config-commands

aaa authorization exec default group TACACS+ local

aaa authorization commands 0 default group TACACS+ none

aaa authorization commands 1 default group TACACS+ none

aaa authorization commands 15 default group TACACS+ none

TACACS-server host 1.1.1.1 key asdfgh

FOR ACS

Re: SSH Access to the ACS 5.1

saxenanitesh8522 — Tue, 01 Feb 2011 08:01:25 GMT

Hi sid,

you didnt put the commands which you might have applied on the line interface of vty & console.

please can you put that command.

Nitesh Saxena

CCIE Security

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 08:10:13 GMT

There is no custom authentication method. Isn't the default method supposed to apply to all vty lines. As you said I tried applying it earlier thus afternoon but the list didn't apply on the line probably since it's by default

I did the same for the switch without applying any vty auto method and it works fine

Sent from my iPhone

Re: SSH Access to the ACS 5.1

andamani — Tue, 01 Feb 2011 08:14:55 GMT

Hi Sid,

I see that you have used default list for login so it will apply to all the lines i.e. console, vty and auxillary.

Did you generate a rsa key pair for ssh?

the following link will give you details of the how to configure SSH on the router or switch:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Regards,

Anisha

P.S.: please mark this thread as resolved if you think your query is resolved.

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 08:21:17 GMT

The router is fully functional just that AAA is not authenticating with ACS. Its very wired that the same config is working for the switch but not for the router.

Am wondering if any other config is required for the router

It's not even going beyond finding the default list to be applied

Sent from my iPhone

Re: SSH Access to the ACS 5.1

saxenanitesh8522 — Tue, 01 Feb 2011 08:22:22 GMT

it might be possible the router didnt accept it.

if you can try putting it manually

line vty 0 4

authorization exec default

authorization command PRIV_LVL default

Re: SSH Access to the ACS 5.1

andamani — Tue, 01 Feb 2011 08:25:39 GMT

Hi Sid,

I am including the basic configuration required on a router for SSH or telnet:

To enable telnet and ssh access on the router
_____________________________________________

line vty 0 4
transport input telnet ssh
transport output telnet ssh
login local
hostname abc
ip domain name /used for key generation
username password
crypto key generate rsa modulus 1024

Also please let me know if the test authentication is working from troublesome router or not.

Regards,

Anisha

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 08:25:48 GMT

I did

Sent from my iPhone

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 08:27:40 GMT

I did configure that but when put the show run, I could find the list in the line vty.

Another thing is that in the logs it says bind I/f. Not sure what that means.

Is this some known bug?

Sent from my iPhone

Re: SSH Access to the ACS 5.1

saxenanitesh8522 — Tue, 01 Feb 2011 08:30:39 GMT

Hi anisha,

You have given him the wrong set of commands for AAA.

the command in router to be given

ip domain-name

crypto key generate rsa modulus 1024

line vty 0 4

authorization exec default

authorization command default

transport input ssh telnet

thanks

nitesh

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 08:31:40 GMT

Local authentication is working fine. All the commands you mentioned are there

Sent from my iPhone

Re: SSH Access to the ACS 5.1

saxenanitesh8522 — Tue, 01 Feb 2011 08:32:40 GMT

sid,

just share the running configuration of aaa and line vty and ssh configuration with you have done on the router. its best

There is no change in the command in switch and router. they remain the same only. So that could not be the case.

Maybe the router might not be taking the default method list just apply it manually again in the router under line console and vty.

Thanks

Re: SSH Access to the ACS 5.1

sidcracker — Tue, 01 Feb 2011 08:36:11 GMT

Ok I will try that. I can't access the router now. Will havevto do it in the morning.

Thanks anyhow for the help

Sent from my iPhone

Re: SSH Access to the ACS 5.1

saxenanitesh8522 — Tue, 01 Feb 2011 08:36:29 GMT

Hi sid,

please try this command and tell the output which is coming on the screen

test aaa group tacas+ legacy

and see the response you are getting.

Thanks

Re: SSH Access to the ACS 5.1

andamani — Tue, 01 Feb 2011 08:38:18 GMT

Hi Nitesh,

Thanks for pointing that .. there is no need to apply the command mentioned below as default will apply to all 3 interfaces.

authorization exec default

authorization command default

Also default method list is being picked as per debugs.

Sid please do not key the command "login local" in line Vty. Please check the configuration and let us know.