topic Re: Problem with ACS authentication in Network Access Control

Problem with ACS authentication

chris.snyman — Sun, 10 Mar 2019 22:06:01 GMT

I'm busy upgrading our network at the moment and we're replacing the archaic switches with new 3750s. At one of the sites, the new switch didn't boot up, so I configured a 2950 as a temporary solution. My problems is with TACACS authentication. I'm using TACACS as the first method of authentication, with local database as backup. But TACACS authentication isn't happening. It just skips straight past method 1 to local authentication. The TACACS servers are up and running as other devices are authenticating correctly and this 2950 can ping the servers in question. The key is entered correctly as well. Any suggestions?

Re: Problem with ACS authentication

Craig Balfour — Tue, 17 Apr 2007 07:08:18 GMT

The TACACS+ configuration for the Catalyst 3750 and 2950 should be identical.

What does your AAA configuration on the 2950 look like?

It should look something like this:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host 10.10.10.24

tacacs-server key 7 0329483905743665657

What does the output of "debug aaa authentication" look like?

For a successful TACACS+ login I get the following:

Apr 17 08:06:07: AAA/AUTHEN/START (1370004964): port='tty2' list='' action=LOGIN service=LOGIN

Apr 17 08:06:07: AAA/AUTHEN/START (1370004964): Restart

Apr 17 08:06:07: AAA/AUTHEN/START (1370004964): Method=tacacs+ (tacacs+)

Apr 17 08:06:07: TAC+: send AUTHEN/START packet ver=192 id=1370004964

Apr 17 08:06:07: TAC+: ver=192 id=1370004964 received AUTHEN status = GETPASS

Apr 17 08:06:07: AAA/AUTHEN (1370004964): status = GETPASS

Apr 17 08:06:20: AAA/AUTHEN/CONT (1370004964): continue_login (user='craig')

Apr 17 08:06:20: AAA/AUTHEN (1370004964): status = GETPASS

Apr 17 08:06:20: AAA/AUTHEN (1370004964): Method=tacacs+ (tacacs+)

Apr 17 08:06:20: TAC+: send AUTHEN/CONT packet id=1370004964

Apr 17 08:06:21: TAC+: ver=192 id=1370004964 received AUTHEN status = PASS

Apr 17 08:06:21: AAA/AUTHEN (1370004964): status = PASS

Apr 17 08:06:21: TAC+: (2581335929): received author response status = PASS_ADD

Re: Problem with ACS authentication

chris.snyman — Tue, 17 Apr 2007 08:14:15 GMT

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default local

aaa accounting suppress null-username

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server key correctkey

tacacs-server host 10.0.0.0

The correct IPs have been ommited, but are correct in the configs and the switch can ping all four of the servers. I'm not on site at the moment, but when I Telnet into the device and use the debug command, it gives me no output whatsoever. It's as if it just skips the TACACS+ authentication completely.

Re: Problem with ACS authentication

Craig Balfour — Tue, 17 Apr 2007 08:47:21 GMT

To get the switch debugging output via telnet you probably need to do the following:

conf t

logging console

end

debug aaa authentication

terminal mon

You should see aaa authentication debugging as long as you are using "aaa new-model" - even if you are using local and not TACACS+.

Re: Problem with ACS authentication

chris.snyman — Tue, 17 Apr 2007 08:54:28 GMT

Thanks. That worked! This is what I get when entering enable mode.

Apr 17 11:52:27: AAA/MEMORY: dup_user (0x80CD1528) user='root' ruser='' port='tt

y1' rem_addr='10.247.81.22' authen_type=ASCII service=ENABLE priv=15 source='AAA

dup enable'

Apr 17 11:52:27: AAA/AUTHEN/START (3171050843): port='tty1' list='' action=LOGIN

service=ENABLE

Apr 17 11:52:27: AAA/AUTHEN/START (3171050843): using "default" list

Apr 17 11:52:27: AAA/AUTHEN/START (3171050843): Method=tacacs+ (tacacs+)

Apr 17 11:52:27: TAC+: send AUTHEN/START packet ver=192 id=3171050843

Apr 17 11:52:28: AAA/AUTHEN (3171050843): status = ERROR

Apr 17 11:52:28: AAA/AUTHEN/START (3171050843): Method=ENABLE

Apr 17 11:52:28: AAA/AUTHEN (3171050843): status = GETPASS

Re: Problem with ACS authentication

Craig Balfour — Tue, 17 Apr 2007 10:35:07 GMT

And the output of "debug tacacs"?

My output looks like this:

Apr 17 11:30:27: TAC+: send AUTHEN/START packet ver=192 id=3801177964

Apr 17 11:30:27: TAC+: Using default tacacs server-group "tacacs+" list.

Apr 17 11:30:27: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5

Apr 17 11:30:27: TAC+: Opened TCP/IP handle 0x80EC2700 to 10.10.10.24/49

Apr 17 11:30:27: TAC+: 10.10.10.24 (3801177964) AUTHEN/START/LOGIN/ASCII queued

Apr 17 11:30:28: TAC+: (3801177964) AUTHEN/START/LOGIN/ASCII processed

Apr 17 11:30:28: TAC+: ver=192 id=3801177964 received AUTHEN status = GETPASS

Apr 17 11:30:31: TAC+: send AUTHEN/CONT packet id=3801177964

Apr 17 11:30:31: TAC+: 10.10.10.24 (3801177964) AUTHEN/CONT queued

Apr 17 11:30:31: TAC+: (3801177964) AUTHEN/CONT processed

Apr 17 11:30:31: TAC+: ver=192 id=3801177964 received AUTHEN status = PASS

Apr 17 11:30:31: TAC+: Closing TCP/IP 0x80EC2700 connection to 10.10.10.24/49

Apr 17 11:30:31: TAC+: using previously set server 10.10.10.24 from group tacacs+

Apr 17 11:30:31: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5

Apr 17 11:30:31: TAC+: Opened TCP/IP handle 0x80ED50DC to 10.10.10.24/49

Apr 17 11:30:31: TAC+: Opened 10.10.10.24 index=1

Apr 17 11:30:31: TAC+: 10.10.10.24 (3808800626) AUTHOR/START queued

Apr 17 11:30:32: TAC+: (3808800626) AUTHOR/START processed

Apr 17 11:30:32: TAC+: (3808800626): received author response status = PASS_ADD

Apr 17 11:30:32: TAC+: Closing TCP/IP 0x80ED50DC connection to 10.10.10.24/49

Apr 17 11:30:32: TAC+: Received Attribute "priv-lvl=15"

Apr 17 11:30:32: TAC+: using previously set server 10.10.10.24 from group tacacs+

Apr 17 11:30:32: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5

Apr 17 11:30:32: TAC+: Opened TCP/IP handle 0x80EC2B94 to 10.10.10.24/49

Apr 17 11:30:32: TAC+: Opened 10.10.10.24 index=1

Apr 17 11:30:32: TAC+: 10.10.10.24 (422749886) ACCT/REQUEST/START queued

Apr 17 11:30:32: TAC+: (422749886) ACCT/REQUEST/START processed

Apr 17 11:30:32: TAC+: (422749886): received acct response status = SUCCESS

Apr 17 11:30:32: TAC+: Closing TCP/IP 0x80EC2B94 connection to 10.10.10.24/49

What TACACS+ server are you using?

Re: Problem with ACS authentication

chris.snyman — Tue, 17 Apr 2007 10:58:21 GMT

The encrypted key I was using isn't the same for both switch models. I can only assume that the encryption algorithm used on the 3750 differs to that of the 2950. When i typed in the unencrypted password, TACACS+ authentication kicked in immediately! Thanks for the advice!