topic Re: AAA Authentication in Network Access Control

AAA Authentication

Mavrick25 — Sun, 10 Mar 2019 23:45:01 GMT

Hello Everyone.

I'm not an expert in AAA Authentication that's why I'm here..

We 3 routers, 1 of which works with Authentication and the other 2 that don't.

We have configured the following:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated.

The problem is that when I try to connect using the TACACS server username and password it gives me a generic error message the classic.

% Athentication Failed

But if I try the local username and password it works..

How come, it's not a problem of routing because the one that works uses the same exit point to reach the server as the one that doesn't, the only difference that exists is the IOS is different..

Can anyone point me in the right direction? Please and thank you

Re: AAA Authentication

Jagdeep Gambhir — Thu, 22 Oct 2009 09:33:28 GMT

It seems that router is not able to reach tacacs. Since it is a layer 3 device you need to set up source interface for tacacs.

Ip tacacs source-interface x/y

Where source interface is the one that is listed in acs --> network configuration-->aaa client-->router ip .

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Regards,

~JG

Do rate helpful posts

Re: AAA Authentication

Mavrick25 — Thu, 22 Oct 2009 09:59:49 GMT

Hello,

Thank you so much for your response.

We came accross that command as well, in fact it has been already applied.

ip tacacs source-interface Loopback0

When you say that we are not able to reach the tacacs server are you indicating a problem with routing?

The reason I ask is because 1 of the 3 routers work.

If I perfrom the show tacacs command I recieve the following:

Tacacs+ Server :

Socket opens: 370

Socket closes: 370

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 370

Total Packets Recv: 370

No current connection

Tacacs+ Server :

Socket opens: 146

Socket closes: 146

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 2

Failed Connect Attempts: 0

Total Packets Sent: 146

Total Packets Recv: 144

No current connection

This command leads me to believe that it is reachable no?

Mav

Re: AAA Authentication

Jatin Katyal — Thu, 22 Oct 2009 11:00:07 GMT

Hi Mav,

Looks like that authentication request is not reaching at tacacs that is why you are able to authenticate using local username & password. Since you've already defined "ip tacacs source-interface loopback0" on the router. You need to check the following:

1.] Are you able to ping the tacacs server?

2.] Are you able to telnet into it

router#telnet 49

3.] Do you have the same ip configured on the ACS > network configuration same as loopback0 interface.

4.] make sure that tacacs service is running > Go to system configuration > services control > and look at the bottom tabs.

If all of the above options are correctly configured/work then please help me with the following debugs:

debug aaa authentication

debug tacacs

term mon

Now, try to authenticate again so that we can generate debugs and post it here.

HTH

Plz rate helpful posts-

Re: AAA Authentication

Mavrick25 — Thu, 22 Oct 2009 12:31:13 GMT

Thanks for the reply,

1#:

Yes, able to ping the tacacs

Yes, take a look:

#telnet x.x.x.x 49

Trying x.x.x.x, 49 ... Open

Currently verifiying this! Will let you know!

For step number 4, this needs to be done on the server correct? I don't have access to it our system admin does.

Re: AAA Authentication

Jatin Katyal — Thu, 22 Oct 2009 12:44:11 GMT

Hi,

Yes, I can see that you can ping and telnet the tacacs server. You're correct, both [3] and [4] steps can only be verified if we have access to ACS under network configuration and system configuration.

Please first run the debugs and then Also run this command on the router

router#test aaa group tacacs+ legacy

HTH

Plz rate helpful posts-

Re: AAA Authentication

Mavrick25 — Thu, 22 Oct 2009 13:06:32 GMT

I feel like we are getting close and all thanks to you!!

The output is as follows:

#test aaa group tacacs+ <__> <__> legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

Re: AAA Authentication

Jagdeep Gambhir — Thu, 22 Oct 2009 14:31:53 GMT

Did you check the shared secret key, on ACS NDG key over rites aaa-client key.

Make sure key is not an issue.

Regards,

~JG

Re: AAA Authentication

Mavrick25 — Fri, 23 Oct 2009 06:57:31 GMT

I figured out what the problem was, it seems the IOS version that is running on the router didn't like the encrypted key.

when I inserted the non-encrypted version everything worked fine.

Thanks for all your help, sincerly.

Mav

Re: AAA Authentication

Jatin Katyal — Fri, 23 Oct 2009 11:04:31 GMT

Hi Mav,

Thanks for sharing the solution 🙂

That is why I asked you to run the debugs. Just wanted to share with you that whenever we have key mis-match issue.

We will see thses kind of debugs:

AUTHEN/START/LOGIN/ASCII queued

TAC+: AUTHEN/START/LOGIN/ASCII processed

TAC+: decrypt: pak is unencrypted but we have a key

TAC+: Unable to decrypt data from SERVER OR NAS.

TAC+: Closing TCP/IP 0x765C2C connection

OR TAC+: CHECK THE KEYS

Also, IOS should take the encrypted key. As fas as I know there is no known issue. make sure that you had the correct encrypted. It should work.

On the IOS, we should service password-encryption available.

Do let me know if you have any query.

HTH

Plz rate helpful posts-

Re: AAA Authentication

wei-koon.tay — Fri, 07 May 2010 10:01:49 GMT

Hi,

May I check with you what do you mean by inserting a non-encrypted key? I'm also seeing the same problem as yours. Please advise.

thanks.

I have the same dude: hat do

Oscar Ortiz — Mon, 28 Sep 2015 23:58:54 GMT

I have the same dude: hat do you mean by inserting a non-encrypted key?

Regards