04-21-2009 11:32 AM - edited 03-10-2019 04:27 PM
my AAA commands;
aaa new-model
aaa authentication login default group tacacs enable
aaa authorization exec default group tacacs none
aaa accounting connection default start-stop group tacacs
aaa session-id common
tacacs-server host [server address]
tacacs-server key [key]
ip tacacs source-interface fast 0
and the debug for authentication and tacacs;
00:08:50: AAA/AUTHEN/LOGIN (00000007): Pick method list 'default'
00:08:50: TPLUS: Queuing AAA Authentication request 7 for processing
00:08:50: TPLUS: processing authentication start request id 7
00:08:50: TPLUS: Authentication start packet created for 7()
00:08:50: TPLUS: Using server 201.0.99.97
Password:
00:08:55: TPLUS(00000007): Select Timed out
00:08:55: AAA/AUTHEN/ENABLE(00000007): Processing request action LOGIN
00:08:55: AAA/AUTHEN/ENABLE(00000007): Done status GET_PASSWORD
Nacogdoches>
00:08:59: AAA/AUTHEN/ENABLE(00000007): Processing request action LOGIN
00:08:59: AAA/AUTHEN/ENABLE(00000007): Done status PASS
I can ping the tacacs server from the router. This set of commands does work for the 1841's that I'm using.
04-21-2009 12:08 PM
Do you see any hits on acs passed or failed attempts? Make sure you are using correct source interface.
04-21-2009 12:33 PM
There are no hits in failed attempts, I can see my passed logins from the other routers. I currently have the source interface set to loopback 0, and have also tried setting the source to fast0 with the same result. The weird part is that these commands work flawlessly on all my 1841's. This is ACS 4.1 on server 03 if that helps.
04-21-2009 12:40 PM
ACS -->network configuration ---> Router --->IP
The IP address defined in acs should be of the interface defined as "tacacs source" in router.
Did you check the shared secret key?
Please get
debug aaa authentication
debug aaa authorization
04-21-2009 12:53 PM
01:33:46: AAA/AUTHEN/LOGIN (00000008): Pick method list 'default'
Password:
01:33:51: AAA/AUTHEN/ENABLE(00000008):
The IP of the source interface is the same one specified in ACS, and I also verified the shared secret is correct.
Processing request action LOGIN
01:33:51: AAA/AUTHEN/ENABLE(00000008): Done status GET_PASSWORD
Nacogdoches>
01:33:54: AAA/AUTHEN/ENABLE(00000008): Processing request action LOGIN
01:33:54: AAA/AUTHEN/ENABLE(00000008): Done status PASS
04-21-2009 01:17 PM
Are you able to clear the first user name password prompt?
or it is not accepting enable password? what error you get after issuing enable password?
04-21-2009 01:31 PM
the first prompt is using the enable password as failover for ACS, so I can get past the login, and the prompt for the EN password, its just not hitting the ACS box with the request. Here is login/EN without the debug.
Press RETURN to get started.
Password:
Nacogdoches>en
Password:
Nacogdoches#
04-21-2009 01:41 PM
Check if any firewall is blocking tacacs port. Try to telnet on port 49 using acs ip address
04-22-2009 05:17 AM
There are no firewalls other than at the pc level from my desk to the ACS box. I'm starting to think there's something unique with the 1720.
04-23-2009 08:21 AM
Richard
I have had quite a few 1720s that authenticate with ACS without problem. I do not think your issue is something unique about the 1720.
Can you do debug tacacs authentication, try another login, and post the debug output?
HTH
Rick
04-30-2009 08:33 AM
This is me trying to login via telnet, with debug on for Tacacs, and authentication/authorization. I'm not sure why its timing out, I can ping the ACS server, however ping fails when I specify the source, Loopback 0, which is my tacacs source.
02:10:57: AAA/AUTHEN/LOGIN (0000000A): Pick method list 'default'
02:10:57: TPLUS: Queuing AAA Authentication request 10 for processing
02:10:57: TPLUS: processing authentication start request id 10
02:10:57: TPLUS: Authentication start packet created for 10()
02:10:57: TPLUS: Using server 201.0.99.97
02:11:02: TPLUS(0000000A): Select Timed out
02:11:02: AAA/AUTHEN/ENABLE(0000000A): Processing request action LOGIN
02:11:02: AAA/AUTHEN/ENABLE(0000000A): Done status GET_PASSWORD
02:11:04: AAA/AUTHEN/ENABLE(0000000A): Processing request action LOGIN
02:11:04: AAA/AUTHEN/ENABLE(0000000A): Done status PASS
02:11:04: AAA/AUTHOR (0xA): Pick method list 'default'
02:11:04: TPLUS: Queuing AAA Authorization request 10 for processing
02:11:04: TPLUS: processing authorization request id 10
02:11:04: TPLUS: Sending AV service=shell
02:11:04: TPLUS: Sending AV cmd*
02:11:04: TPLUS: Authorization request created for 10()
02:11:04: TPLUS: Using server 201.0.99.97
02:11:09: TPLUS(0000000A): Select Timed out
02:11:09: AAA/AUTHOR/EXEC(0000000A): Authorization FAILED
04-30-2009 10:25 AM
Richard
It is helpful to know that a standard ping to the TACACS server does work but that an extended ping which specifies the source as the loopback fails. This suggest that there is a routing problem and that the TACACS server does not have a route to the subnet of the loopback.
Would you be able to start from the TACACS server and do a traceroute toward the loopback address. It might be interesting to see how far that gets and it might help to identify where the problem is.
HTH
Rick
04-30-2009 10:49 AM
The problem I'll have with a trace route is that the IP I'm using for Loopback 0 is a real IP outside my network. When I run TR its just going to hop to the real world IP. I can use TR from the ACS server to the outside NAT IP on the router, but thats only one hop.
C:\tracert 207.16.131.110
Tracing route to 207.16.131.110 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 207.16.131.110
Would it be possible for you to post the relevant part of one of your configs so that I can compare it with mine?
04-30-2009 12:15 PM
Richard
Can you tell us about the network translation, is it static translation or dynamic, or is it using overload to PAT on the outbound interface? I wonder if the issue with TACACS has anything to do with the translation?
Relevant information from one of the 1721s that do successfully authenticate with TACACS:
IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
interface Loopback0
ip address 10.42.186.2 255.255.255.255
ip tacacs source-interface Loopback0
tacacs-server host 172.16.24.20
tacacs-server host 172.16.130.103
tacacs-server key [removed]
and an extended ping from the router to the TACACS server using the loopback as source does get successful responses.
HTH
Rick
04-30-2009 12:56 PM
We use static translation. As for PAT I dont believe we are using it, I made any port settings in the router or in the ACS server. I do have this command in the router;
ip nat inside source route-map nonat interface FastEthernet0 overload
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide