Issue with tacacs plus

etucker — Sun, 10 Mar 2019 21:02:42 GMT

I hava a tacacs server running on redhat. When I try to telnet to my router I get a bunch of garbage on the screen. Sometimes I get an authorization failed. Any ideas what I might have wrong?

Current configuration : 1063 bytes

version 12.2

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

hostname Home

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login tac group tacacs+ enable

aaa authentication enable default group tacacs+ enable

enable secret removed

enable password removed

username cisco password removed

ip subnet-zero

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

lcp max-session-starts 0

interface Ethernet0

ip address 192.168.1.105 255.255.255.0

no cdp enable

interface Ethernet1

no ip address

ip access-group 101 in

ip nat outside

shutdown

no cdp enable

ip classless

ip http server

no cdp run

tacacs-server host 192.168.1.102

tacacs-server timeout 15

tacacs-server key cisco

line con 0

exec-timeout 120 0

transport input none

stopbits 1

line vty 0 4

exec-timeout 0 0

scheduler max-task-time 5000

end

03:10:38: TPLUS: Queuing AAA Authentication request 25 for processing

03:10:38: TPLUS: processing authentication start request id 25

03:10:38: TPLUS: Authentication start packet created for 25()

03:10:38: TPLUS: Using server 192.168.1.102

03:10:38: TPLUS(00000019): connected to server 192.168.1.102

03:10:38: TPLUS: response received for AAA request 25

03:10:38: TPLUS: Received authentication response with status FAIL

03:10:40: TPLUS: Queuing AAA Authentication request 25 for processing

03:10:40: TPLUS: processing authentication start request id 25

03:10:40: TPLUS: Authentication start packet created for 25()

03:10:40: TPLUS: Using server 192.168.1.102

03:10:40: TPLUS(00000019): connected to server 192.168.1.102

03:10:40: TPLUS: response received for AAA request 25

03:10:40: TPLUS: Received authentication response with status FAIL

03:10:42: TPLUS: Queuing AAA Authentication request 25 for processing

03:10:42: TPLUS: processing authentication start request id 25

03:10:42: TPLUS: Authentication start packet created for 25()

03:10:42: TPLUS: Using server 192.168.1.102

03:10:42: TPLUS(00000019): connected to server 192.168.1.102

03:10:42: TPLUS: response received for AAA request 25

03:10:42: TPLUS: Received authentication response with status FAIL

Re: Issue with tacacs plus

Richard Burts — Mon, 07 Mar 2005 03:29:08 GMT

I have looked at the config that you posted and do not see any serious issues, though there are a couple of things that may be worth a comment. You have configured an authentication method for the vty ports so telnet access will use tacacs. But you have not configured an authentication method for the console and you have not configured (or at least not included in the posted config) any default authentication method for login.

Also the tac authentication method used by the vty ports specifes that the tacacs server is the preferred method of authentication but if the server is not available the user can login in by specifying the enable password. I wonder if that is really what you intend. A more common configuration would be:

aaa authentication login tac group tacacs+ line

this would prefer tacacs and as a backup would use the configured line password.

Or you could configure:

aaa authentication login tac group tacacs+ local

if you have user names and passwords configured on the router.

The debug messages that you include are interesting and may give a clue to the problem. They do demonstrate that you are communicating with the tacacs server (it shows that you are sending messages and getting responses). This tells us that there is not a problem with the configuration of the server address or password. I think it also tells us that this router has been configured on the tacacs server.

I think that it is interesting that you are building a start packet and sending it to the tacacs server. And that you immediately get a response from the server of FAIL. There was no prompt for username or password which would be normal. This makes me wonder if there is some issue in the way that this router has been configured on the tacacs server. Is this router in a group by itself? and if so are there users who have access rights in this group?

If you have other routers that do work with tacacs, I would suggest that you compare the tacacs server configuration of this router to the configuration of some other router that works and see if you can identify a difference.

HTH

Rick

topic Issue with tacacs plus in Network Access Control

Issue with tacacs plus

Re: Issue with tacacs plus