topic Hi,When you say u can not in Network Access Control

ssh after ACS server "locked up" and had to be reconfigured no longer works.

Steve Coady — Mon, 11 Mar 2019 04:47:11 GMT

Hello

I have a VPN tunnel between an ASA5520 and a Cisco 891.

I had the 891 configured with the following:

aaa group server tacacs+ VTY
ip tacacs source-interface Loopback0
!
aaa group server tacacs+ TACACS-ACS
server 10.8.x.x
server 10.16.y.x
!
aaa authentication login CONSOLE none
aaa authentication login VTY group tacacs+ local
aaa authorization exec VTY group tacacs+ local
aaa authorization commands 0 VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+

ip tacacs source-interface Loopback0

tacacs-server host 10.8.x.x key 7 yadayadayadayada
tacacs-server host 10.16.y.x key 7 yadayadayadayada
tacacs-server directed-request

line vty 0 4
access-class 1 in
authorization commands 15 VTY
authorization exec VTY
accounting commands 15 VTY
login authentication VTY
transport input ssh
line vty 5 15
access-class 1 in
authorization commands 15 VTY
authorization exec VTY
accounting commands 15 VTY
login authentication VTY
transport input ssh

I no longer can access device remotely. I am sure it has to do with the ACS server, but not sure where to look.

Any help would be greatly appreciated.

Hi,When you say u can not

kcnajaf — Thu, 12 Jun 2014 02:17:25 GMT

Hi,

When you say u can not access device remotely are you not able to ssh to device or there is no rechablity itself?

Is ssh is the problem then do you get a login prompt? Any error message? Also have you checked ACS failed logs for any messages?

Regards

Najaf

Najaf Thank you for the

Steve Coady — Thu, 12 Jun 2014 16:27:50 GMT

Najaf

Thank you for the response.

I mean I have no remote management access. Traffic is passing

This is a new site

I get login prompt

My Active director credentials and my local username/pass do not work.

Both worked prior to the ACS problems with bad sectors on HD. The ACS was reconfigured.

This appears to be the only site that is having trouble.

Hi,Do you see any failed

kcnajaf — Thu, 12 Jun 2014 18:04:13 GMT

Hi,

Do you see any failed authentication logs on ACS?

Where did you manage to get the aaa configuration? Are you using this as a standard template?

Could you try modifying the configuration as below?

config terminal

no aaa group server tacacs+ TACACS-ACS

aaa group server tacacs+ VTY

server 10.8.x.x
server 10.16.y.x

After this verify if tacacs authentication is working fine with below command (hope this command work on your device)

test aaa group tacacs VTY <username> <password> lega

Regards

Najaf

I get the following message

Steve Coady — Thu, 12 Jun 2014 18:21:55 GMT

I get the following message

Attempting authentication test to server-group tacacs+ using tacacs+

*Jun 12 18:19:15.245: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type *invalid_group_handle*No authoritative response from any server.

Hi,This is configuration

kcnajaf — Thu, 12 Jun 2014 18:44:14 GMT

Hi,

This is configuration issue.

Have you added the loop back interface ip of router on to AAA server as a AAA client?

Are the shared key same on both router and aaa?

If both the above are fine the remove the entire aaa configuration and apply them frsh as below.

no aaa new mode

enable password ***********
username admin privilege 15 password *********
aaa new-model
aaa group server tacacs+ VTY
server 10.8.x.x
server 10.16.y.x
aaa authentication login VTY group tacacs+ local
aaa authentication enable VTY group Tacacs+ enable

tacacs-server host 10.8.x.x key 7 xxxxx (xxxxx should be the same key used in ACS)
tacacs-server host 10.16.y.x key 7 xxxxx (xxxxx should be the same key used in ACS)
line vty 0 4
login authentication VTY

Hope that helps

Regards

Najaf

Najaf What about these other

Steve Coady — Thu, 12 Jun 2014 19:01:27 GMT

Najaf

What about these other commands on the line?

I wiped it out and

Steve Coady — Thu, 12 Jun 2014 20:40:25 GMT

I wiped it out and reconfigured as you requested. Still no access.

I get the following messages

Steve Coady — Thu, 12 Jun 2014 20:50:10 GMT

I get the following messages when I config line vty 0 4

Cisco891(config-line)# authorization commands 15 VTY
AAA: Warning authorization list "VTY" is not defined for CMD priv

Cisco891(config-line)# authorization exec VTY
AAA: Warning authorization list "VTY" is not defined for EXEC

Cisco891(config-line)# accounting commands 15 VTY
AAA: Warning accounting list "VTY" is not defined for CMD priv 15

Cisco891(config-line)# login authentication VTY
AAA: Warning authentication list "VTY" is not defined for LOGIN.

Cisco891(config-line)#^Z
Cisco 891#
*Jun 12 20:46:00.793: %SYS-5-CONFIG_I: Configured from console by console

What am I doing wrong?!?!?!?!?

Hi,I wanted you to try

kcnajaf — Fri, 13 Jun 2014 01:26:07 GMT

Hi,

I wanted you to try minimum configurations first. Even with out other configuration things should work..

Have you checked at AAA server end to confirm your router IP address is added there and shared key are matching?

Regards

Najaf