cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
0
Helpful
1
Replies

AAA TACACS Authentication issue with ACS and Switch

dnsroot13
Beginner
Beginner

Hi All,

Facing  one  issue  for the new switch  installed and trying to authenticated vty access through acs 5.2.0.26 version.

IOS:c2960c405-universalk9-mz.150-2.SE5

On switch configuration below

debug logs says this and i could see that there is no response coming from acs server and seems acs is having some issue.let me know if you see any issue on the switch side configuration. same configuration ,same model and IOS  for other switch is working fine .switch rebooted and aaa new model was reconfigured already.appreciate inputs about if anybody faced the similar issue .I am suspecting issue on the acs side and thought to reboot it however need to know if anybody exp. this kind of behavior earlier.

The things is ACS is still showing aaa unknown client although configured in the device and aaa client in network device group!

Pls find more details below of switch and acs logs. PS:no issues with port 49 to telnet from switch and readability with source interface basics checks are already done .

 

on switch:

#show tacacs

Tacacs+ Server -  public  :
            Server address: 128.1.X>X
               Server port: 49
              Socket opens:         30
             Socket closes:         30
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:         30
        Total Packets Recv:          0

 

=====================================================

SW1#test aaa group tacacs+ test test123  legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

==========================================================

TAC+: send AUTHEN/START packet ver=192 id=1940690190
TAC+: Using default tacacs server-group "tacacs+" list.
 TAC+: Opening TCP/IP to 128.1.4.40/49 timeout=10
TAC+: Opened TCP/IP handle 0x42E38AC to 128.1.4.40/49 using source 172.29.200.51
TAC+: periodic timer started
TAC+: 128.1.4.40 req=4566BEC Qd id=1940690190 ver=192 handle=0x42E38AC expire=10 AUTHEN/START/LOGIN/ASCII queued
 TAC+: 128.1.4.40 (1940690190) AUTHEN/START/LOGIN/ASCII queued
 TAC+: 128.1.4.40 id=1940690190 wrote 26 of 26 bytes
 TAC+: 128.1.4.40 req=4566BEC Qd id=1940690190 ver=192 handle=0x42E38AC expire=9 AUTHEN/START/LOGIN/ASCII sent
 TAC+: 128.1.4.40 read END-OF-FILE
TAC+: req=4566BEC Tx id=1940690190 ver=192 handle=0x42E38AC expire=9 AUTHEN/START/LOGIN/ASCII processed
TAC+: (1940690190) AUTHEN/START/LOGIN/ASCII processed
TAC+: periodic timer stopped (queue empty)
TAC+: received bad AUTHEN packet: type = 0, expected 1
TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys). -----keys are OK on both the side
TAC+: Closing TCP/IP 0x42E38AC connection to 128.1.4.40/49
TAC+: Using default tacacs server-group "tacacs+" list.

%TAC+: no address for get_server

==============================================================

ON ACS auth. logs below (PS: there is no NAT device in between however acs is recognizing the client IP somehow!) ALSO location,identity group etc has been checked already

A TACACS+ packet was received with a source IP Address that did not match any configured Network Device or AAA Client

====================================================================================================

Related configuration for aaa on the switch is below

 

username test  privilege 15  password xxxx

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

interface Vlan200
 ip address 172.29.200.51 255.255.255.0
!
ip default-gateway 172.29.200.1
ip http server
ip http secure-server
!
ip tacacs source-interface Vlan200
l
tacacs-server host 128.1.x.x timeout 10

line vty 0 4
 exec-timeout 5 0

logining auth default

trasnsport input telnet

 

 

1 Reply 1

dnsroot13
Beginner
Beginner

If anybody has  any thoughts on above ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: