topic Re: Tacacs issues on a c880 in Network Access Control

Tacacs issues on a c880

Brent Rockburn — Sun, 10 Mar 2019 23:09:37 GMT

I have attached the debug. From the spoke site I can telnet to the tacacs server's management port. I don't see failed attempts on the tacacs server so I get the impression that it's not making it there or back. Can someone take a look at the debug and let me know what if anything my be wrong.

Thanks in advance!!

Re: Tacacs issues on a c880

Richard Burts — Thu, 30 Oct 2008 15:51:27 GMT

Brent

I have looked at the information that you posted. The debug shows that it is sending requests, and seems to show that it processes a reply. But there is no indication of what the reply is. I find that quite odd. I might suggest that you add debug tacacs packet and test again. It would show more detail of what is going back and forth.

I notice several things in the commands that you post that might be issues. You show configuration of the server but do not show the configuration of the key (or shared secret) that the router and the server use to protect their transmissions. If the keys do not match you will not authenticate with the server (though that usually does create entries in the failed attempts report indicating invalid key).

I also notice that you define the server group as Netadmin but in the authentication command you call for NMM-Netadmin. And under the vty lines you specify the authentication method as Netadmin but in the authentication command you call it NMM-Netadmin.

Perhaps you can clarify some of these things?

HTH

Rick

Re: Tacacs issues on a c880

Brent Rockburn — Thu, 30 Oct 2008 16:23:01 GMT

Here is a new debug file.

Sorry about the nmm-netadmin versus the other one I was just trying to edit stuff on the text file.

I'm getting an error in the debug I don't know what exactly it means as it's a little ambiguous.

thanks for the help.

Re: Tacacs issues on a c880

Richard Burts — Thu, 30 Oct 2008 16:39:51 GMT

Brent

That does help to clarify a little. Clearly the router is sending a request. Some packet is received in response but there is an error in reading the packet header. It would be nice to know more about the error, but the debug is not helpful about that.

I wonder how it would work if you remove the single-connection parameter from the server configuration on the router.

Also can you verify that the TACACS server is working properly? Is it authenticating for other clients?

Is there anything unique about the configuration in the server for client 10.50.2.176?

Does the server have any entries in its failed attempts file that correspond to the time when you are testing?

HTH

Rick

Re: Tacacs issues on a c880

Brent Rockburn — Thu, 30 Oct 2008 17:28:08 GMT

Hey,

I've verified that the tacacs server is running properly as I use it on all my security devices like fw's and others. I have removed the "single-connection" and now I am getting the following at the tail end

*Oct 30 16:52:16.847: TPLUS(0000001B)/0/NB_WAIT: wrote entire 45 bytes request

*Oct 30 16:52:16.847: TPLUS(0000001B)/0/READ: socket event 1

*Oct 30 16:52:16.847: TPLUS(0000001B)/0/READ: Would block while reading

*Oct 30 16:52:16.867: TPLUS(0000001B)/0/READ: socket event 1

*Oct 30 16:52:16.867: TPLUS(0000001B)/0/READ: read 0 bytes

*Oct 30 16:52:16.871: TPLUS(0000001B)/0/READ: socket event 1

*Oct 30 16:52:16.871: TPLUS(0000001B)/0/READ: errno 254

*Oct 30 16:52:16.871: TPLUS(0000001B)/0/853AF00C: Processing the reply packet

The strange thing is that when I look at the failed attempts on the server I don't see anything .. it's like it never makes it there but I know it does I see it in the debug ..

Re: Tacacs issues on a c880

Richard Burts — Thu, 30 Oct 2008 18:21:28 GMT

Brent

Is there any possibility that there is a firewall or IDS/IPS that could be intercepting the request and generating/proxying a response?

HTH

Rick

Re: Tacacs issues on a c880

Brent Rockburn — Thu, 30 Oct 2008 18:27:59 GMT

No there is no firewall.

Also I can telnet from the router to the management port of the tacacs server .. so I know it can indeed connect.

Re: Tacacs issues on a c880

Richard Burts — Thu, 30 Oct 2008 18:55:28 GMT

Brent

I have assumed since your original post that basic IP connectivity was not an issue. So I am looking for possible reasons why the request does not show up at the server - which is especially puzzling since some kind of response seems to get to the router.

HTH

Rick

Re: Tacacs issues on a c880

Brent Rockburn — Thu, 30 Oct 2008 18:57:42 GMT

yes I agree very strange.

I think I'll open up a TAC. Maybe there is something I'm missing.

Thanks for your help

Take care.

Re: Tacacs issues on a c880

cisco24x7 — Thu, 30 Oct 2008 18:59:55 GMT

The way you go about troubleshooting this issue

is wrong. You need to do the following:

- run tcpdump on the tacacs server and see if

it even completes a 3-way hand-shake, like this:

13:54:26.712822 192.168.15.248.11030 > 10.0.0.10.49: S 533573034:533573034(0) win 4128

13:54:26.712860 10.0.0.10.49 > 192.168.15.248.11030: S 86308781:86308781(0) ack 533573035 win 5840 (DF)

13:54:26.714667 192.168.15.248.11030 > 10.0.0.10.49: . ack 1 win 4128

13:54:26.715946 192.168.15.248.11030 > 10.0.0.10.49: . 1:39(38) ack 1 win 4128

- run tcpdump on the tacacs server and capture

it to a file so that you can view it with

ethereal/wireshark:

tcpdump -s 1500 -w /tmp/tacacs.cap -i eth0 -nnn host router_ip_address and port 49

- Now view the file tacacs.cap with ethereal.

You can find out why tacacs is not working.

The other thing to keep in mind is that the

tacacs key you enter on the router is kinda

tricky. "abc123 " is NOT the same as

"abc123". The extra space in the end could

cause issue. You can not decode it with

tcpdump because the packet is encrypted.

Re: Tacacs issues on a c880

rtanner — Fri, 31 Oct 2008 00:06:50 GMT

I managed to generate the output

Oct 31 11:03:59.204: TPLUS(0000005A)/0/NB_WAIT: wrote entire 38 bytes request

Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: socket event 1

Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: Would block while reading

Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: socket event 1

Oct 31 11:03:59.208: TPLUS(0000005A)/0/READ: errno 254

Oct 31 11:03:59.208: TPLUS(0000005A)/0/847809C0: Processing the reply packet

which includes the same errno (254) as the OP's output. It was generated by not configuring the end point as a client in the ACS.

which leads to the suggestion to confirm the correct source interface is configured in ACS

HTH

Ross

Re: Tacacs issues on a c880

Brent Rockburn — Fri, 31 Oct 2008 15:50:44 GMT

So the issue was that I needed to specify a tacacs interface and I also didn't configure the subnet for that interface on the ACS server. Once I did both it worked like a dream.

Thanks for all the help