09-26-2005 06:49 AM - edited 03-10-2019 02:19 PM
I try to configure aaa session on router 2600, this routers doesn't registre on NAS.
This log message from "debug tacacs":
02:41:46: %SYS-5-CONFIG_I: Configured from console by console
02:41:49: TAC+: send AUTHEN/START packet ver=192 id=2012248911
02:41:49: TAC+: Using default tacacs server-group "tacacs+" list.
02:41:49: TAC+: Opening TCP/IP to 10.2.1.1/49 timeout=5
02:41:49: TAC+: Opened TCP/IP handle 0x811DE258 to 10.2.1.1/49
02:41:49: TAC+: 10.2.1.1 (2012248911) AUTHEN/START/LOGIN/ASCII queued
02:41:54: TAC+: 10.2.1.1 (2012248911) AUTHEN/START/LOGIN/ASCII -- TIMED OUT
02:41:54: TAC+: (2012248911) AUTHEN/START/LOGIN/ASCII processed
02:41:54: TAC+: Closing TCP/IP 0x811DE258 connection to 10.2.1.1/49
02:41:54: TAC+: Using default tacacs server-group "tacacs+" list.
On NAS i configure client with the folowing elements:
ip address 10.2.1.254
share secret:cisco
These are cisco router tacacs configuration:
aaa new-model
aaa authentication login default group tacacs+
enable secret xxx.
enable password pat
tacacs-server host 10.2.1.1 key cisco
tacacs-server directed-request
!
Every suggest will be appreciate.
Best regards.
09-26-2005 11:03 AM
It looks to me like the 2600 sends a request to the TACACS server and does not get any response. Probably the first thing I would do would be to test for IP connectivity by seeing if you can do an extended ping from the 2600 to 10.2.1.1 and secifying 10.2.1.254 as the source.
If you can demonstrate that there is IP connectivity the next thing I would look at is a traceroute from the TACACS server to 10.2.1.254. Make sure that the server gets a response and look to see if the response came from the 2600 using address 10.2.1.254. (This will help make sure that the authentication request is sourced from the address that you think it is.)
If that checks out the next thing I would do is to look in the logs on the TACACS server and see if there is any indication that it heard the request from the 2600. If there are log messages they may indicate the nature of the problem.
Try these things and let us know what you find.
HTH
Rick
09-26-2005 11:15 PM
yes,
The problem was the seconday address, the ip address 10.2.1.254 was secondary.It does'nt send request with secondary but with primary address.
I remove secondary address and put it primary.
There is the new log, i obtain:
01:12:09: TAC+: Closing TCP/IP 0x812C22B4 connection to 10.2.1.1/49
Login:
12:41:15: TAC+: send AUTHEN/START packet ver=192 id=621179624
12:41:15: TAC+: Using default tacacs server-group "tacacs+" list.
12:41:15: TAC+: Opening TCP/IP to 10.2.1.1/49 timeout=5
12:41:15: TAC+: Opened TCP/IP handle 0x812C1FD8 to 10.2.1.1/49
12:41:15: TAC+: 10.2.1.1 (621179624) AUTHEN/START/LOGIN/ASCII queued
12:41:15: TAC+: (621179624) AUTHEN/START/LOGIN/ASCII processed
12:41:15: TAC+: ver=192 id=621179624 received AUTHEN status = GETUSERtest
Password:
12:41:23: TAC+: send AUTHEN/CONT packet id=621179624
12:41:23: TAC+: 10.2.1.1 (621179624) AUTHEN/CONT queued
12:41:23: TAC+: (621179624) AUTHEN/CONT processed
12:41:23: TAC+: ver=192 id=621179624 received AUTHEN status = GETPASS
Login failed
Best regards.
09-27-2005 04:49 AM
I am glad that you were able to resolve the issue with the secondary address. From the log messages in this post it is clear that the router is communicating with the TACACS server. Especially receipt of the GETUSER and the GETPASS show that the router is sending to the server and is getting responses. So the addresses are correct and the TACACS keys are ok. I am not sure why the login failed. Probably the best way to find the problem is to look in the logs on the TACACS server. It saw an authentication request and the logs should indicate the reason that the request failed. The obvious possibilities are incorrect entry of the user ID or password, or incorrect configuration of the user in the TACACS server, or the user is not configured in the server for access to this router. But the logs should have the answer.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide