Cisco Router as Terminal/Comm Server - TTY Line TACACS Authentication

stephanbrunst — Fri, 21 Jul 2023 11:07:40 GMT

Hello community,

I have a question about securing the TTY lines on a Cisco router as a terminal server with TACACS authentication.

Is it normal that no username is sent when authenticating on the TTY line? (see debug output below the configuration)

The configuration looks like this:

--------------------------------------------------------------------------------------------------------------

aaa new-model
!
aaa authentication login default group ffmaaa local
aaa authentication enable default group ffmaaa enable
aaa authorization config-commands
aaa authorization exec default group ffmaaa local
aaa authorization commands 1 default group ffmaaa local
aaa authorization commands 15 default group ffmaaa local
aaa accounting exec default start-stop group ffmaaa
aaa accounting commands 0 default start-stop group ffmaaa
aaa accounting commands 15 default start-stop group ffmaaa
aaa accounting connection default start-stop group ffmaaa
!
aaa group server tacacs+ ffmaaa
server-private <ip-address> key <key>
server-private <ip-address> key <key>
!
ip host swioob01-04 2068 <ip-address>
ip host swioob01-05 2070 <ip-address>
ip host l1201 2072 <ip-address>
ip host l0601 2073 <ip-address>
ip host asa01-04 2074 <ip-address>
ip host asa01-05 2075 <ip-address>
ip host nx01-04 2076 <ip-address>
ip host gw01-05 2077 <ip-address>
ip host nx01-05 2078 <ip-address>
ip host swi04-04 2079 <ip-address>
ip host nx01-06 2080 <ip-address>
ip host nx02-06 2081 <ip-address>
ip host fraswioob01-12 2066 <ip-address>
ip host fraoob01-12 2067 <ip-address>
ip host fraswioob01-06 2069 <ip-address>
ip host fraoob01-06 2071 <ip-address>
!
line 1/0 1/15
exec-timeout 0 0
modem InOut
no exec
transport input telnet ssh
stopbits 1

---------------------------------------------------------------------------------------------------------------

debug output:

Jul 19 14:05:48.387 MEST: AAA/AUTHEN/LOGIN (000241DC): Pick method list 'default'
Jul 19 14:05:48.391 MEST: TPLUS: Queuing AAA Authentication request 147932 for processing
Jul 19 14:05:48.391 MEST: TPLUS(000241DC) login timer started 1020 sec timeout
Jul 19 14:05:48.391 MEST: TPLUS: processing authentication start request id 147932
Jul 19 14:05:48.391 MEST: TPLUS: Authentication start packet created for 147932()
Jul 19 14:05:48.391 MEST: TPLUS: Using server <ip-address>
Jul 19 14:05:48.395 MEST: TPLUS(000241DC)/0/NB_WAIT/4775806C: Started 30 sec timeout
Jul 19 14:05:48.399 MEST: TPLUS(000241DC)/0/NB_WAIT: socket event 2
Jul 19 14:05:48.399 MEST: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jul 19 14:05:48.399 MEST: T+: session_id 2056032528 (0x7A8C9110), dlen 27 (0x1B)
Jul 19 14:05:48.399 MEST: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jul 19 14:05:48.399 MEST: T+: svc:LOGIN user_len:0 port_len:7 (0x7) raddr_len:12 (0xC) data_len:0
Jul 19 14:05:48.399 MEST: T+: user:
Jul 19 14:05:48.399 MEST: T+: port: tty1/10
Jul 19 14:05:48.399 MEST: T+: rem_addr: <ip-address>
Jul 19 14:05:48.399 MEST: T+: data:
Jul 19 14:05:48.399 MEST: T+: End Packet
Jul 19 14:05:48.403 MEST: TPLUS(000241DC)/0/NB_WAIT: wrote entire 39 bytes request
Jul 19 14:05:48.403 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:48.403 MEST: TPLUS(000241DC)/0/READ: Would block while reading
Jul 19 14:05:48.407 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:48.407 MEST: TPLUS(000241DC)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jul 19 14:05:48.407 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:48.407 MEST: TPLUS(000241DC)/0/READ: read entire 28 bytes response
Jul 19 14:05:48.407 MEST: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jul 19 14:05:48.407 MEST: T+: session_id 2056032528 (0x7A8C9110), dlen 16 (0x10)
Jul 19 14:05:48.407 MEST: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Jul 19 14:05:48.407 MEST: T+: msg: username:
Jul 19 14:05:48.407 MEST: T+: data:
Jul 19 14:05:48.407 MEST: T+: End Packet
Jul 19 14:05:48.407 MEST: TPLUS(000241DC) login timer stopped
Jul 19 14:05:48.407 MEST: TPLUS(000241DC)/0/4775806C: Processing the reply packet
Jul 19 14:05:48.411 MEST: TPLUS: Received authen response status GET_USER (7)
Jul 19 14:05:48.411 MEST: TPLUS(000241DC)/0/None: Started 120 sec timeoutos336164a
password:
Jul 19 14:05:53.935 MEST: TPLUS: Queuing AAA Authentication request 147932 for processing
Jul 19 14:05:53.935 MEST: TPLUS(000241DC) login timer started 1020 sec timeout
Jul 19 14:05:53.935 MEST: TPLUS: processing authentication continue request id 147932
Jul 19 14:05:53.935 MEST: TPLUS: Authentication continue packet generated for 147932
Jul 19 14:05:53.935 MEST: TPLUS(000241DC)/0/None: Timer Stoped
Jul 19 14:05:53.935 MEST: TPLUS(000241DC)/0/WRITE/47B4A580: Started 30 sec timeout
Jul 19 14:05:53.935 MEST: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Jul 19 14:05:53.935 MEST: T+: session_id 2056032528 (0x7A8C9110), dlen 14 (0xE)
Jul 19 14:05:53.935 MEST: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
Jul 19 14:05:53.939 MEST: T+: User msg: <elided>
Jul 19 14:05:53.939 MEST: T+: User data:
Jul 19 14:05:53.939 MEST: T+: End Packet
Jul 19 14:05:53.939 MEST: TPLUS(000241DC)/0/WRITE: wrote entire 26 bytes request
Jul 19 14:05:53.943 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:53.947 MEST: TPLUS(000241DC)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jul 19 14:05:53.947 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:53.947 MEST: TPLUS(000241DC)/0/READ: read entire 28 bytes response
Jul 19 14:05:53.947 MEST: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Jul 19 14:05:53.947 MEST: T+: session_id 2056032528 (0x7A8C9110), dlen 16 (0x10)
Jul 19 14:05:53.947 MEST: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Jul 19 14:05:53.947 MEST: T+: msg: password:
Jul 19 14:05:53.947 MEST: T+: data:
Jul 19 14:05:53.947 MEST: T+: End Packet
Jul 19 14:05:53.947 MEST: TPLUS(000241DC) login timer stopped
Jul 19 14:05:53.947 MEST: TPLUS(000241DC)/0/47B4A580: Processing the reply packet
Jul 19 14:05:53.947 MEST: TPLUS: Received authen response status GET_PASSWORD (8)
Jul 19 14:05:53.947 MEST: TPLUS(000241DC)/0/None: Started 120 sec timeout
Jul 19 14:05:59.671 MEST: TPLUS: Queuing AAA Authentication request 147932 for processing
Jul 19 14:05:59.675 MEST: TPLUS(000241DC) login timer started 1020 sec timeout
Jul 19 14:05:59.675 MEST: TPLUS: processing authentication continue request id 147932
Jul 19 14:05:59.675 MEST: TPLUS: Authentication continue packet generated for 147932
Jul 19 14:05:59.675 MEST: TPLUS(000241DC)/0/None: Timer Stoped
Jul 19 14:05:59.675 MEST: TPLUS(000241DC)/0/WRITE/47B4A580: Started 30 sec timeout
Jul 19 14:05:59.675 MEST: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Jul 19 14:05:59.675 MEST: T+: session_id 2056032528 (0x7A8C9110), dlen 18 (0x12)
Jul 19 14:05:59.675 MEST: T+: AUTHEN/CONT msg_len:13 (0xD), data_len:0 (0x0) flags:0x0
Jul 19 14:05:59.675 MEST: T+: User msg: <elided>
Jul 19 14:05:59.675 MEST: T+: User data:
Jul 19 14:05:59.675 MEST: T+: End Packet
Jul 19 14:05:59.675 MEST: TPLUS(000241DC)/0/WRITE: wrote entire 30 bytes request
Jul 19 14:05:59.699 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:59.699 MEST: TPLUS(000241DC)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Jul 19 14:05:59.699 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:05:59.699 MEST: TPLUS(000241DC)/0/READ: read entire 18 bytes response
Jul 19 14:05:59.699 MEST: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Jul 19 14:05:59.699 MEST: T+: session_id 2056032528 (0x7A8C9110), dlen 6 (0x6)
Jul 19 14:05:59.699 MEST: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
Jul 19 14:05:59.699 MEST: T+: msg:
Jul 19 14:05:59.699 MEST: T+: data:
Jul 19 14:05:59.699 MEST: T+: End Packet
Jul 19 14:05:59.699 MEST: TPLUS(000241DC) login timer stopped
Jul 19 14:05:59.699 MEST: TPLUS(000241DC)/0/47B4A580: Processing the reply packet
Jul 19 14:05:59.699 MEST: TPLUS: Received authen response status FAIL (3)
Jul 19 14:05:59.699 MEST: TPLUS: Invalid Client information received as input

% Authentication failed

username:
Jul 19 14:06:03.703 MEST: AAA/AUTHEN/LOGIN (000241DC): Pick method list 'default'
Jul 19 14:06:03.703 MEST: TPLUS: Queuing AAA Authentication request 147932 for processing
Jul 19 14:06:03.703 MEST: TPLUS(000241DC) login timer started 1020 sec timeout
Jul 19 14:06:03.703 MEST: TPLUS: processing authentication start request id 147932
Jul 19 14:06:03.703 MEST: TPLUS: Authentication start packet created for 147932()
Jul 19 14:06:03.703 MEST: TPLUS: Using server <ip-address>
Jul 19 14:06:03.707 MEST: TPLUS(000241DC)/0/NB_WAIT/47FEE670: Started 30 sec timeout
Jul 19 14:06:03.707 MEST: TPLUS(000241DC)/0/NB_WAIT: socket event 2
Jul 19 14:06:03.707 MEST: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jul 19 14:06:03.707 MEST: T+: session_id 1260940227 (0x4B286BC3), dlen 27 (0x1B)
Jul 19 14:06:03.707 MEST: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jul 19 14:06:03.707 MEST: T+: svc:LOGIN user_len:0 port_len:7 (0x7) raddr_len:12 (0xC) data_len:0
Jul 19 14:06:03.707 MEST: T+: user:
Jul 19 14:06:03.707 MEST: T+: port: tty1/10
Jul 19 14:06:03.707 MEST: T+: rem_addr: <ip-address>
Jul 19 14:06:03.707 MEST: T+: data:
Jul 19 14:06:03.707 MEST: T+: End Packet
Jul 19 14:06:03.711 MEST: TPLUS(000241DC)/0/NB_WAIT: wrote entire 39 bytes request
Jul 19 14:06:03.711 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:06:03.711 MEST: TPLUS(000241DC)/0/READ: Would block while reading
Jul 19 14:06:03.715 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:06:03.715 MEST: TPLUS(000241DC)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Jul 19 14:06:03.715 MEST: TPLUS(000241DC)/0/READ: socket event 1
Jul 19 14:06:03.715 MEST: TPLUS(000241DC)/0/READ: read entire 28 bytes response
Jul 19 14:06:03.715 MEST: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jul 19 14:06:03.715 MEST: T+: session_id 1260940227 (0x4B286BC3), dlen 16 (0x10)
Jul 19 14:06:03.715 MEST: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Jul 19 14:06:03.715 MEST: T+: msg: username:
Jul 19 14:06:03.715 MEST: T+: data:
Jul 19 14:06:03.715 MEST: T+: End Packet

-------------------------------------------------------------------------------------------------------------

On the Cisco ISE we use for TACACS as a condition for the desired policy that a TACACS request comes and the username should start with "os" or "ex".

This policy on the ISE is skipped because no username is sent with the authentication on the TTY line and the condition therefore does not apply.

Of course, the policy could be designed differently, but the primary issue is why no username is sent.

Can this be influenced?

What is best practice for implementing authentication / authorization for the TTY lines?
Maybe even examples for a suitable policy set (Authentication / Authorization Policy)

Best regards,

Stephan

Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat

MHM Cisco World — Sat, 22 Jul 2023 22:16:28 GMT

I will check in my lab

Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat

stephanbrunst — Sun, 23 Jul 2023 18:21:21 GMT

Many thanks for your help. I'm looking forward to your feedback

Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat

MHM Cisco World — Mon, 24 Jul 2023 10:05:23 GMT

Difference between TACACS+ and RADIUS - GeeksforGeeks

All the AAA packets are encrypted in TACACS+ <<- the packet is encrypted in tacacs that why we can not see password or username

topic Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat in Network Access Control

Cisco Router as Terminal/Comm Server - TTY Line TACACS Authentication

Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat

Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat

Re: Cisco Router as Terminal/Comm Server - TTY Line TACACS Authenticat