04-09-2009 01:42 AM
Configured CSS for TACACS authentication.
- CSS able to ping ACS server.
- ACS server able to ping CSS.
Product Name: CSS11503-AC E0 SW Version: 7.20 Build 104
CSS11503# show tac
IP/Port State Primary Authen. Author. Account
------- ----- ------- ------- ------- ------
10.67.153.54:49 Dead Yes 0 0 0
10.67.153.55:49 Dead No 0 0 0
Totals: 0 0 0
Global Timeout: 5
Global KAL Frequency: 5
Global Key: Configured
Authorize Config Commands: Yes
Authorize Non-Config Commands: Yes
Account Config Commands: Yes
Account Non-Config Commands: Yes
Removed keepalive frequency to 0, changed it to use 1 of the servers, and also redid ACS configuration. Still no improvement.
Thanks for any help.
04-11-2009 06:29 AM
Hi Jeffrey Wong ,
Generally, when TACACS+ authentication does not work with a CSS, the problem is usually either a configuration issue on either the CSS or the TACACS+ server. The first thing that you need to check is whether you have configured the CSS as a client of a TACACS+ server.
When you have checked this, there is additional logging that you can use on the CSS in order to determine the problem. Complete these steps to turn on logging.
On the CSS, enter debug mode.
CSS# llama
CSS(debug)# mask tac 0x3
CSS(debug)# exit
CSS# configure
CSS(config)# logging subsystem security level debug-7
CSS(config)# logging subsystem netman level info-6
CSS(config)# exit
CSS# logon
!--- This logs messages to the screen.
In order to disable logging, issue these commands:
CSS# llama
CSS(debug)# mask tac 0x0
CSS(debug)# exit
CSS# no logon
These messages can appear:
SEP 10 08:30:10 5/1 99 SECURITY-7: SECMGR:SecurityAuth:Request from 0x20204b0c
SEP 10 08:30:10 5/1 100 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
SEP 10 08:30:10 5/1 101 SECURITY-7: Security Manager sending error 7 reply to
ller 20201c00
These messages indicate that the CSS tries to communicate with the TACACS+ server, but the TACACS+ server rejects the CSS. error 7 means that the TACACS+ key entered in the CSS does not match the key on the TACACS+ server.
A successful login through a TACACS+ server shows this message (note the sending success 0 reply):
SEP 10 08:31:46 5/1 107 SECURITY-7: SECMGR:SecurityAuth:Request from 0x20204b0d
SEP 10 08:31:46 5/1 108 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
SEP 10 08:31:47 5/1 109 SECURITY-7: Security Manager sending success 0 reply to
caller 20201c00
SEP 10 08:31:47 5/1 110 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x2020
4b0d
Common Mistakes
The most common mistake when you set up a CSS to work with a TACACS+ server is actually very simple. This command tells the CSS what key to use to communicate with the TACACS+ server:
CSS(config)# tacacs-server key system enterkeyhere
This key can be either clear text or DES encrypted. The clear text key is DES encrypted before the key is placed in the running configuration. To make a key clear text, put it in quotes. To make it DES encrypted, do not use quotes. The important thing is to know if the TACACS+ key is DES encrypted or if the key is clear text. After you issue the command, match the key of the CSS to the key that the TACACS+ server uses.
Regards,
Sachin
04-15-2009 09:07 PM
I enabled the debug logging as indicated in the response.
========================================
Received the following when attempting to use TACACS username and password:
APR 16 00:59:55 1/1 1810 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b13
APR 16 00:59:55 1/1 1811 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
APR 16 00:59:55 1/1 1812 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
APR 16 00:59:55 1/1 1813 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary
APR 16 00:59:55 1/1 1814 SECURITY-7: Security Manager sending error 7 reply to caller 1c01
APR 16 00:59:55 1/1 1815 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary
APR 16 00:59:55 1/1 1816 SECURITY-7: Security Manager sending success 0 reply to caller 1c01
APR 16 00:59:55 1/1 1817 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b13
========================================
My log messages are similar as your example. Therefore, I changed my tacacs key to a simple word (ex: duh). I used both quoted ("duh") and then unquoted (duh).
Both times, TACACS authentication did not work.
Anything else to check?
04-11-2009 06:43 PM
HI Dear,
Lists the external user databases that CiscoSecure ACS uses to authenticate an unknown user (if the Check the following external user databases option is selected). CiscoSecure ACS attempts authentication using the selected databases one at a time in the order specified.
Users whose accounts were created in the CiscoSecure ACS database when CiscoSecure ACS successfully authenticated them using the Unknown User Policy. When CiscoSecure ACS creates a discovered user, the user account contains only the username, a Password Authentication list setting that reflects the external user database that authenticated the user, and a "Group to which the user is assigned" list setting of Mapped By External Authenticator, which enables group mapping. Using the CiscoSecure ACS HTML interface, you can further configure the user account as needed. For example, after a discovered user is created in CiscoSecure ACS, you can assign user-specific network access restrictions to the discovered user.
04-16-2009 12:04 AM
HI Dear,
In version 5.03 and later, you can configure the CSS to use TACACS+ for user authentication. In order to configure the CSS for TACACS+ authentication, refer to the Release Notes for the CSS 11000 Series.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_notes_list.html
In order to view the debugs that are associated with TACACS+ logins, issue these commands:
logging subsystem security level debug-7
logging subsystem netman level debug-7
This is an example of a failed authentication because of an incorrect user name or password:
JUL 23 01:54:41 7/1 109 SECURITY-7: SECMGR:SecurityAuth:Request from 0x30204b0a
JUL 23 01:54:41 7/1 110 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary
JUL 23 01:54:41 7/1 111 NETMAN-7: TACACS:tac_Authen:Final
JUL 23 01:54:41 7/1 112 NETMAN-7: TACACS:TACACS_AuthAgent:Rqst
Rsp
JUL 23 01:54:41 7/1 113 SECURITY-7: Security Manager sending success 0 reply to
caller 30201c00
JUL 23 01:54:41 7/1 114 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary
JUL 23 01:54:41 7/1 115 SECURITY-7: Security Manager sending error 7 reply to
caller 30201c00
JUL 23 01:54:41 7/1 116 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary
JUL 23 01:54:41 7/1 117 SECURITY-7: Security Manager sending error 7 reply to
caller 30201c00
JUL 23 01:54:41 7/1 118 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x30204b0a
continued page 2......
04-16-2009 12:11 AM
page 2.....
These are resolved caveats regarding TACACS+
Resolved Caveats in Software Version 6.10.4.05
The following resolved caveats apply to software version 6.10.4.05:
CSCee24309 - The CSS was not properly authorizing all commands through the TACACS+ server.
CSCee80408 - Using the tacacs-server authorize config or the no tacacs-server authorize config commands cause a memory leak.
Software Behavioral Changes in 6.10.2.03
The show tacacs-server display has the following new Per-Server Configuration fields:
-Key - Shared secret used by the TACACS+ server
-Server Timeout - The amount of time the CSS waits for a response from the server.
-Server Frequency - The keepalive frequency for the specified TACACS+ server.
The show tacacs-server screen display also has a new Global Configuration field: Global KAL Frequency. This field defines the global keepalive frequency in seconds.
â¢All global tacacs-server parameters (frequency, key, and timeout) take effect immediately when configured. You no longer need to remove and re-add servers for these parameters to take effect. Also, you may configure these parameters in any order.
Resolved Caveats in Software Version 6.10.2.03
CSCec83790 - If the TACACS server is in a DYING state, new authentication requests fail.
acacs-server send-full-command
no tacacs-server send-full-command
The send-full-command option expands user-executed abbreviated commands to their full command syntax before the CSS sends them to the TACACS+ server.
Use the no form of the command to reset the default CSS behavior of sending user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.
CSCeb20895 - TACACS+ accounting records sent by the CSS have an incorrect Attribute Value (AV) pair. The record contains task=
Global
tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}
The frequency number option for the tacacs-server command allows you to set the keepalive frequency for the specified TACACS+ server. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. Defining this option overrides the global tacacs-server frequency command.
To apply any TACACS+ global attribute, such as the keepalive frequency, to a TACACS+ server, you must configure the global attribute before you configure the server.
tacacs-server frequency number
no tacacs-server frequency number
The frequency number option for the tacacs-server command allows you to set the global keepalive frequency for all TACACS+ servers. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. The no form of the command resets the global keepalive frequency to 5 seconds.
When you configure the keepalive frequency for a TACACS+ server, the server keepalive frequency overrides the global keepalive frequency.
To apply a global attribute to a configured CSS TACACS+ server and have it take effect immediately, you must remove the server and then reconfigure it.
CSCea10851 - The CSS primary authentication method should be consistent with Cisco IOS. If the primary authentication method is TACACS/RADIUS and the server rejects the login, the secondary/tertiary method is not tried. If the server is not responding, the secondary/tertiary method is tried. If the primary authentication method is LOCAL, the secondary/tertiary method is tried only if the username is not in the local database.
can you please tell which version of css you are using.
If this will also not solve your problem please revert back without any hesitation. i will try my level best to troubleshoot for you..
kind regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide