topic Re: Help on ACS in Network Access Control

Help on ACS

Amin Shaikh — Sun, 10 Mar 2019 22:54:01 GMT

Hi,

I have fresh installed ACS 4.1 and having trouble integrating with the following for authentication.

<1> Cisco 4500 Router

<2> Cisco AiroNet-Access-Point

All admin for Router 4500 should be authenticatd via ACS Server and incase ACS Server is down then they should be authenticated via local DATABASE...

All passed or failed attempt should be logged on ACS ; all changes done on the devices ( change config / reboot ) should be logged on ACS as well.....

Can I get a link where it shows the config part on router and on ACS.....

Re: Help on ACS

Jagdeep Gambhir — Wed, 11 Jun 2008 11:52:35 GMT

Here are some useful links,

Command authorization on acs

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

On router use these commands,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Use authorization commmands only if you set up command authorization.

Http authentication on AP

http://cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml

Eap authentication with radius,

http://cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Regards,

~JG

Do rate helpful posts

Re: Help on ACS

Amin Shaikh — Wed, 11 Jun 2008 13:04:30 GMT

Thanks for your input.

What command is required on TTY and console.

wht config is required on ACS to log the change activity done on routers ???

before command authorization I would like to check/test only authentication on Routers using ACS...so should I use the following or additional commands are required.....

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

username ABC priv 15 password 0000

tacacs-server host 192.168.1.100

tacacs-server directed-request

tacacs-server key password

line con 0

exec-timeout 0 0

password 7 0316425

line vty 0 4

exec-timeout 0 0

password 7 0707305

Re: Help on ACS

Jagdeep Gambhir — Wed, 11 Jun 2008 13:19:20 GMT

If you want to record changes made by user, you need to set up command accounting. Nothing is required on acs

aaa accounting command 1 default group tacacs

aaa accounting command 15 default group tacacs

You will find command accounting logs in tacacs administration logs in reports and activity.

Regards,

~JG

Do rate helpful posts

Re: Help on ACS

Amin Shaikh — Wed, 11 Jun 2008 15:32:04 GMT

I hve done the following ; but i dont get authenticated via ACS on Catalyst 4500...

I checked the logs for failed attempts but no entries there... I am able to ping the switch from ACS and vice-versa...

=============

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

username ABC priv 15 password 0000

tacacs-server host 192.168.1.100

tacacs-server directed-request

tacacs-server key password

line con 0

exec-timeout 0 0

password xxx

line vty 0 4

exec-timeout 0 0

password xxx

=============================

Any clue???

Re: Help on ACS

Richard Burts — Wed, 11 Jun 2008 20:39:00 GMT

Amin

My first guess would be that the source address used by the 4500 does not match the address configured in ACS for that device. In that case I would expect to find in the failed attempts some records indicating unknown NAS.

My second guess would be an issue with configuring the shared key between ACS and the 4500.

Probably the most effective way to find this problem would be to run some debugs on the 4500. Would you post the output from debug aaa authentication and from debug tacacs authentication.

HTH

Rick

Re: Help on ACS

Amin Shaikh — Thu, 12 Jun 2008 09:47:12 GMT

thanks

the key is correct

The debug output TACS is :-

======

3w1d: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 172.20.58.5(3457) -> 0.0.0.0(2

3), 1 packet

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E08FCC to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E07F24 Qd id=2386328461 ver=192 handle=0x42E08FCC

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=2386328461 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E07F24 Qd id=2386328461 ver=192 handle=0x42E08FCC

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E07F24 Tx id=2386328461 ver=192 handle=0x42E08FCC (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E08FCC connection to 192.168.2.55/49

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E0916C to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E073E4 Qd id=4289040243 ver=192 handle=0x42E0916C

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=4289040243 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E073E4 Qd id=4289040243 ver=192 handle=0x42E0916C

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E073E4 Tx id=4289040243 ver=192 handle=0x42E0916C (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E0916C connection to 192.168.2.55/49

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E0916C to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E0749C Qd id=3454695364 ver=192 handle=0x42E0916C

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=3454695364 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E0749C Qd id=3454695364 ver=192 handle=0x42E0916C

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E0749C Tx id=3454695364 ver=192 handle=0x42E0916C (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E0916C connection to 192.168.2.55/49

=========

Re: Help on ACS

Amin Shaikh — Thu, 12 Jun 2008 10:04:09 GMT

3w1d: AAA/AUTHEN/CONT (2136902324): continue_login (user='neo')

3w1d: AAA/AUTHEN (2136902324): status = GETPASS

3w1d: AAA/AUTHEN/CONT (2136902324): Method=LOCAL

3w1d: AAA/AUTHEN (2136902324): User not found

3w1d: AAA/AUTHEN (2136902324): status = FAIL

3w1d: AAA/AUTHEN/ABORT: (2136902324) because Unknown.

3w1d: AAA/MEMORY: free_user_quiet (0x42E06218) user='neo' ruser='NULL' port='tt

y2' rem_addr='172.20.58.5' authen_type=1 service=1 priv=1

3w1d: AAA: parse name=tty2 idb type=-1 tty=-1

3w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

3w1d: AAA/MEMORY: create_user (0x42E04C24) user='NULL' ruser='NULL' ds0=0 port='

tty2' rem_addr='172.20.58.5' authen_type=ASCII service=LOGIN priv=1 initial_task

_id='0'

3w1d: AAA/AUTHEN/START (1863895592): port='tty2' list='' action=LOGIN service=LO

GIN

3w1d: AAA/AUTHEN/START (1863895592): using "default" list

3w1d: AAA/AUTHEN/START (1863895592): Method=tacacs+ (tacacs+)

3w1d: TAC+: send AUTHEN/START packet ver=192 id=1863895592

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E06414 to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E03D7C Qd id=1863895592 ver=192 handle=0x42E06414

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=1863895592 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E03D7C Qd id=1863895592 ver=192 handle=0x42E06414

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E03D7C Tx id=1863895592 ver=192 handle=0x42E06414 (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E06414 connection to 192.168.2.55/49

3w1d: AAA/AUTHEN (1863895592): status = ERROR

3w1d: AAA/AUTHEN/START (1863895592): Method=LOCAL

3w1d: AAA/AUTHEN (1863895592): status = GETUSER

Re: Help on ACS

Richard Burts — Thu, 12 Jun 2008 10:51:28 GMT

Amin

Thank you for the debug output. It does clearly show that your 4500 is sending the TACACS request and is not receiving any response from the ACS server. It would seem logical that either something is preventing the TACACS request from getting to the server or that something in the request is causing the server to reject it.

Is it possible that there is somewhere along the data path from the 4500 to the server some device (perhaps a router with a filter or a firewall) which is denying the packet with the TACACS request from being forwarded to the server?

Perhaps it would be helpful if you would post the output of a traceroute from the 4500 to the ACS server.

When you attempt to authenticate on the 4500 are you getting any entries in the failed attempts on the ACS server at all?

HTH

Rick

Re: Help on ACS

Amin Shaikh — Thu, 12 Jun 2008 14:40:31 GMT

Hello,

The output of traceroute

HQ#traceroute 192.168.2.55

Type escape sequence to abort.

Tracing the route to acs.hq.du.lan (192.168.2.55)

1 acs.hq.du.lan (192.168.2.55) 0 msec 0 msec 0 msec

I am able to ping both from ACS to Core and viceversa.

There is no firewall between them or any other security device.

On ACS Server I dont see any failed or even pass attempts...

Re: Help on ACS

Richard Burts — Thu, 12 Jun 2008 14:48:53 GMT

Amin

The traceroute shows that they are directly connected which certainly reduces the possibility that some other device is getting in the way.

Could you post the output of show ip interface brief. And can you give us the address that is configured in ACS for this device?

HTH

Rick

Re: Help on ACS

Amin Shaikh — Thu, 12 Jun 2008 15:06:13 GMT

the IP address of core is 172.20.68.1

The IP defined on ACS is 172.20.68.1 as well.

AAA Client IP address : 172.20.68.1

Shared Secret Key : Cisco

Authenticate using : TACACS+ (Cisco IOS)

Re: Help on ACS

Richard Burts — Thu, 12 Jun 2008 15:27:25 GMT

Amin

I was re-reading this thread and found something that I do not understand. In several posts you show this for the TACACS server:

tacacs-server host 192.168.1.100

but the debugs and the traceroute are using 192.168.2.55 as the server address. Did you change the config?

HTH

Rick

Re: Help on ACS

Richard Burts — Thu, 12 Jun 2008 15:35:23 GMT

Amin

Your response with the addressing is helpful. Thank you for posting this:

AAA Client IP address : 172.20.68.1

Shared Secret Key : Cisco

Authenticate using : TACACS+ (Cisco IOS)

But the traceroute seems to show that the 4500 is directly connected to the server on subnet 192.168.2.0. And so that would be the source address that the 4500 would use in its TACACS request. And the server would reject it because it is expecting 172.20.68.1 and is getting 192.168.2.x

There are at least 2 ways to fix this. You could add a command to the config of the 4500 and specify the source address to use:

ip tacacs source-interface

or you could change the config of the server so that it uses the 192.168.2 address of the 4500.

HTH

Rick

Re: Help on ACS

Amin Shaikh — Thu, 12 Jun 2008 16:39:34 GMT

Thanks for your reply.

on the Core I have Two VLANs

VLAN 1 = 172.20.68.0/24 ( user-vlan ) with VLAN ID as 172.20.68.1

VLAN 2 = 192.168.2.0/24 (server-vlan )

with Vlan ID as 192.168.2.1

on core(4500) what should I configure the source-interface....

Re: Help on ACS

Richard Burts — Thu, 12 Jun 2008 16:57:35 GMT

Amin

Does it matter to you which interface is used for TACACS? If so then configure that interface as the source.

When you configured the ACS server you told it to expect packets to be from the address in VLAN 1. If you do not want to change the ACS configuration then configure VLAN 1 as the source address for TACACS.

HTH

Rick

Re: Help on ACS

Amin Shaikh — Thu, 12 Jun 2008 17:23:00 GMT

Thanks, it worked with IP tacacs source-interface command.

I have one more query putting on another POST....

Thanks again....

Re: Help on ACS

Richard Burts — Fri, 13 Jun 2008 16:26:52 GMT

Amin

I am glad that my suggestions were able to help you resolve your problem. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read a response which did help resolve the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick