aaa default

stephtchoko · ‎09-26-2005

I try to configure aaa session on router 2600, this routers doesn't registre on NAS.

This log message from "debug tacacs":

02:41:46: %SYS-5-CONFIG_I: Configured from console by console

02:41:49: TAC+: send AUTHEN/START packet ver=192 id=2012248911

02:41:49: TAC+: Using default tacacs server-group "tacacs+" list.

02:41:49: TAC+: Opening TCP/IP to 10.2.1.1/49 timeout=5

02:41:49: TAC+: Opened TCP/IP handle 0x811DE258 to 10.2.1.1/49

02:41:49: TAC+: 10.2.1.1 (2012248911) AUTHEN/START/LOGIN/ASCII queued

02:41:54: TAC+: 10.2.1.1 (2012248911) AUTHEN/START/LOGIN/ASCII -- TIMED OUT

02:41:54: TAC+: (2012248911) AUTHEN/START/LOGIN/ASCII processed

02:41:54: TAC+: Closing TCP/IP 0x811DE258 connection to 10.2.1.1/49

02:41:54: TAC+: Using default tacacs server-group "tacacs+" list.

On NAS i configure client with the folowing elements:

ip address 10.2.1.254

share secret:cisco

These are cisco router tacacs configuration:

aaa new-model

aaa authentication login default group tacacs+

enable secret xxx.

enable password pat

tacacs-server host 10.2.1.1 key cisco

tacacs-server directed-request

!

Every suggest will be appreciate.

Best regards.

Richard Burts · ‎09-26-2005

It looks to me like the 2600 sends a request to the TACACS server and does not get any response. Probably the first thing I would do would be to test for IP connectivity by seeing if you can do an extended ping from the 2600 to 10.2.1.1 and secifying 10.2.1.254 as the source.

If you can demonstrate that there is IP connectivity the next thing I would look at is a traceroute from the TACACS server to 10.2.1.254. Make sure that the server gets a response and look to see if the response came from the 2600 using address 10.2.1.254. (This will help make sure that the authentication request is sourced from the address that you think it is.)

If that checks out the next thing I would do is to look in the logs on the TACACS server and see if there is any indication that it heard the request from the 2600. If there are log messages they may indicate the nature of the problem.

Try these things and let us know what you find.

HTH

Rick

HTH

Rick

stephtchoko · ‎09-26-2005

yes,

The problem was the seconday address, the ip address 10.2.1.254 was secondary.It does'nt send request with secondary but with primary address.

I remove secondary address and put it primary.

There is the new log, i obtain:

01:12:09: TAC+: Closing TCP/IP 0x812C22B4 connection to 10.2.1.1/49

Login:

12:41:15: TAC+: send AUTHEN/START packet ver=192 id=621179624

12:41:15: TAC+: Using default tacacs server-group "tacacs+" list.

12:41:15: TAC+: Opening TCP/IP to 10.2.1.1/49 timeout=5

12:41:15: TAC+: Opened TCP/IP handle 0x812C1FD8 to 10.2.1.1/49

12:41:15: TAC+: 10.2.1.1 (621179624) AUTHEN/START/LOGIN/ASCII queued

12:41:15: TAC+: (621179624) AUTHEN/START/LOGIN/ASCII processed

12:41:15: TAC+: ver=192 id=621179624 received AUTHEN status = GETUSERtest

Password:

12:41:23: TAC+: send AUTHEN/CONT packet id=621179624

12:41:23: TAC+: 10.2.1.1 (621179624) AUTHEN/CONT queued

12:41:23: TAC+: (621179624) AUTHEN/CONT processed

12:41:23: TAC+: ver=192 id=621179624 received AUTHEN status = GETPASS

Login failed

Best regards.

Richard Burts · ‎09-27-2005

I am glad that you were able to resolve the issue with the secondary address. From the log messages in this post it is clear that the router is communicating with the TACACS server. Especially receipt of the GETUSER and the GETPASS show that the router is sending to the server and is getting responses. So the addresses are correct and the TACACS keys are ok. I am not sure why the login failed. Probably the best way to find the problem is to look in the logs on the TACACS server. It saw an authentication request and the logs should indicate the reason that the request failed. The obvious possibilities are incorrect entry of the user ID or password, or incorrect configuration of the user in the TACACS server, or the user is not configured in the server for access to this router. But the logs should have the answer.

HTH

Rick

HTH

Rick