TACACS + Authentication Failing

mattipler — Fri, 21 Feb 2020 18:45:16 GMT

Hey guys,

We have a working (for other devices) implementation of ACS 5.8.1. I'm attempting to configure TACACS authentication upon one of our new 2960s but authentication is being rejected by the server.

I can see the port 49 traffic passing through the network and hitting the ACS server. The key and IP are configured correctly within ACS. But the server is rejecting authentication attempts.

TACACS config

switchSWI01#show run | s tacacs
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Vlan3000
tacacs server ACS01
address ipv4 10.32.22.15
key 7 031C4D393C1703741E
tacacs server ACS01
address ipv4 10.128.50.15
key 7 10561F2B3F0F30335C

TACACS Auth Debug

switchSWI01#test aaa group tacacs+ Matthewt 3636685490 legacy
Attempting authentication test to server-group tacacs+ using tacacs+

Feb 12 17:33:22.812: AAA: parse name=<no string> idb type=-1 tty=-1
Feb 12 17:33:22.812: AAA/MEMORY: create_user (0x85C027C) user='Matthewt' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Feb 12 17:33:22.812: TAC+: send AUTHEN/START packet ver=192 id=613456307
Feb 12 17:33:22.812: TAC+: Using default tacacs server-group "tacacs+" list.
Feb 12 17:33:22.812: TAC+: Opening TCP/IP to 10.32.22.15/49 timeout=5
Feb 12 17:33:22.826: TAC+: Opened TCP/IP handle 0x8E2B854 to 10.32.22.15/49 using source 172.31.76.140
Feb 12 17:33:22.826: TAC+: 10.32.22.15 (613456307) AUTHEN/START/LOGIN/ASCII queued
Feb 12 17:33:23.029: TAC+: (613456307) AUTHEN/START/LOGIN/ASCII processed
Feb 12 17:33:23.029: TAC+: ver=192 id=613456307 received AUTHEN status = GETPASS
Feb 12 17:33:23.029: TAC+: send AUTHEN/CONT packet id=613456307
Feb 12 17:33:23.029: TAC+: 10.32.22.15 (613456307) AUTHEN/CONT queuedUser authentication request was rejected by server.

switchSWI01#
Feb 12 17:33:25.328: TAC+: (613456307) AUTHEN/CONT processed
Feb 12 17:33:25.328: TAC+: ver=192 id=613456307 received AUTHEN status = FAIL
Feb 12 17:33:25.328: TAC+: Closing TCP/IP 0x8E2B854 connection to 10.32.22.15/49
Feb 12 17:33:25.332: AAA/MEMORY: free_user (0x85C027C) user='Matthewt' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Feb 12 17:33:34.385: %SEC-6-IPACCESSLOGNP: list SNMP_ACCESS permitted 0 172.21.50.6 -> 0.0.0.0, 1674 packets

Any ideas folks? At a bit of a loss with this!

Regards.

Re: TACACS + Authentication Failing

mattipler — Tue, 13 Feb 2018 10:27:05 GMT

Also just found this in ACS Monitoring and Reports (troubleshooting TAB)...

Description

Selected Shell Profile is DenyAccess

Resolution Steps

Check whether the Device Administration Authorization Policy rules are correct

TACACS STATUS: FAIL

Authentication Results

AuthenticationResult:

PASSED

AuthorizationFailureReason:

ShellProfileDenyAuthorization

Type: Authentication

Authen-reply-Status: Fail

Apologies, as you can probably guess, I'm new to ACS!

Re: TACACS + Authentication Failing

mattipler — Tue, 13 Feb 2018 13:18:44 GMT

End Station Filters!

topic Re: TACACS + Authentication Failing in Network Access Control

TACACS + Authentication Failing

Re: TACACS + Authentication Failing

Re: TACACS + Authentication Failing