topic Re: Understanding this TACACS Debug in Network Access Control

Understanding this TACACS Debug

daniel.bowen — Sun, 10 Mar 2019 22:13:05 GMT

01:19:44: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

01:19:44: TAC+: Closing TCP/IP 0xAC5F14 connection to 10.52.166.119/49

01:19:44: TAC+: Using default tacacs server-group "tacacs+" list.

01:19:46: TAC+: Using default tacacs server-group "tacacs+" list.

01:19:46: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:19:46: TAC+: Opened TCP/IP handle 0xABDD68 to 10.52.166.119/49

01:19:46: TAC+: 10.52.166.119 (2254716401) ACCT/REQUEST/STOP queued

01:19:46: TAC+: (2254716401) ACCT/REQUEST/STOP processed

01:19:46: TAC+: received bad ACCT packet: type = 0, expected 3

01:19:46: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:19:46: TAC+: Closing TCP/IP 0xABDD68 connection to 10.52.166.119/49

01:19:46: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:20:19: TAC+: Opened TCP/IP handle 0xAC5F14 to 10.52.166.119/49

01:20:19: TAC+: 10.52.166.119 (726398633) ACCT/REQUEST/STOP queued

01:20:19: TAC+: (726398633) ACCT/REQUEST/STOP processed

01:20:19: TAC+: received bad ACCT packet: type = 0, expected 3

01:20:19: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:20:19: TAC+: Closing TCP/IP 0xAC5F14 connection to 10.52.166.119/49

01:20:19: TAC+: Using default tacacs server-group "tacacs+" list.

01:20:19: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:20:19: TAC+: Opened TCP/IP handle 0xABDD68 to 10.52.166.119/49

01:20:19: TAC+: 10.52.166.119 (1195930714) ACCT/REQUEST/STOP queued

01:20:20: TAC+: (1195930714) ACCT/REQUEST/STOP processed

01:20:20: TAC+: received bad ACCT packet: type = 0, expected 3

01:20:20: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:20:20: TAC+: Closing TCP/IP 0xABDD68 connection to 10.52.166.119/49

01:20:20: TAC+: Using default tacacs server-group "tacacs+" list.

Can anybody help me understand this TACACS debug that I get when I try and authenticate on this device using TACACS?

Many thanks,

Dan

Re: Understanding this TACACS Debug

Jagdeep Gambhir — Fri, 15 Jun 2007 11:43:55 GMT

Hi Dan,

Here is some info :

01:19:44: TAC+: Using default tacacs server-group "tacacs+" list.

01:19:46: TAC+: Using default tacacs server-group "tacacs+" list.

It is using default configured tacacs list.

01:19:46: TAC+: Opening TCP/IP to 10.52.166.119/49 timeout=5

01:19:46: TAC+: Opened TCP/IP handle 0xABDD68 to 10.52.166.119/49

01:19:46: TAC+: 10.52.166.119 (2254716401) ACCT/REQUEST/STOP queued

Here it is trying to make a connection with tacacs server on port 49 ( default tacacs port), request is queued.

01:19:46: TAC+: (2254716401) ACCT/REQUEST/STOP processed

01:19:46: TAC+: received bad ACCT packet: type = 0, expected 3

01:19:46: TAC+: Invalid ACCT/REQUEST/STOP packet (check keys).

01:19:46: TAC+: Closing TCP/IP 0xABDD68 connection to 10.52.166.119/49

Here it is not getting any response from tacacs due to secret key mismatch.

And loop goes on.

Please reenter aaa key on this device and acs , pls do not copy/paste

Also be aware that in ACS aaa client key take precedence over NDG key.

Let me know how that goes.

Regards,

Jagdeep

Re: Understanding this TACACS Debug

darpotter — Fri, 15 Jun 2007 14:51:52 GMT

The "check keys" message would seem to indicate the shared secret doesnt match the one on the AAA server.