AAA TACACS Authentication issue with ACS and Switch

dnsroot13 · ‎07-23-2015

Hi All,

Facing one issue for the new switch installed and trying to authenticated vty access through acs 5.2.0.26 version.

IOS:c2960c405-universalk9-mz.150-2.SE5

On switch configuration below

debug logs says this and i could see that there is no response coming from acs server and seems acs is having some issue.let me know if you see any issue on the switch side configuration. same configuration ,same model and IOS for other switch is working fine .switch rebooted and aaa new model was reconfigured already.appreciate inputs about if anybody faced the similar issue .I am suspecting issue on the acs side and thought to reboot it however need to know if anybody exp. this kind of behavior earlier.

The things is ACS is still showing aaa unknown client although configured in the device and aaa client in network device group!

Pls find more details below of switch and acs logs. PS:no issues with port 49 to telnet from switch and readability with source interface basics checks are already done .

on switch:

#show tacacs

Tacacs+ Server - public :
            Server address: 128.1.X>X
               Server port: 49
              Socket opens:         30
             Socket closes:         30
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:         30
        Total Packets Recv:          0

=====================================================

SW1#test aaa group tacacs+ test test123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

==========================================================

TAC+: send AUTHEN/START packet ver=192 id=1940690190
TAC+: Using default tacacs server-group "tacacs+" list.
TAC+: Opening TCP/IP to 128.1.4.40/49 timeout=10
TAC+: Opened TCP/IP handle 0x42E38AC to 128.1.4.40/49 using source 172.29.200.51
TAC+: periodic timer started
TAC+: 128.1.4.40 req=4566BEC Qd id=1940690190 ver=192 handle=0x42E38AC expire=10 AUTHEN/START/LOGIN/ASCII queued
TAC+: 128.1.4.40 (1940690190) AUTHEN/START/LOGIN/ASCII queued
TAC+: 128.1.4.40 id=1940690190 wrote 26 of 26 bytes
TAC+: 128.1.4.40 req=4566BEC Qd id=1940690190 ver=192 handle=0x42E38AC expire=9 AUTHEN/START/LOGIN/ASCII sent
TAC+: 128.1.4.40 read END-OF-FILE
TAC+: req=4566BEC Tx id=1940690190 ver=192 handle=0x42E38AC expire=9 AUTHEN/START/LOGIN/ASCII processed
TAC+: (1940690190) AUTHEN/START/LOGIN/ASCII processed
TAC+: periodic timer stopped (queue empty)
TAC+: received bad AUTHEN packet: type = 0, expected 1
TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys). -----keys are OK on both the side
TAC+: Closing TCP/IP 0x42E38AC connection to 128.1.4.40/49
TAC+: Using default tacacs server-group "tacacs+" list.

%TAC+: no address for get_server

==============================================================

ON ACS auth. logs below (PS: there is no NAT device in between however acs is recognizing the client IP somehow!) ALSO location,identity group etc has been checked already

A TACACS+ packet was received with a source IP Address that did not match any configured Network Device or AAA Client

====================================================================================================

Related configuration for aaa on the switch is below

username test privilege 15 password xxxx

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

interface Vlan200
ip address 172.29.200.51 255.255.255.0
!
ip default-gateway 172.29.200.1
ip http server
ip http secure-server
!
ip tacacs source-interface Vlan200
l
tacacs-server host 128.1.x.x timeout 10

line vty 0 4
exec-timeout 5 0

logining auth default

trasnsport input telnet

dnsroot13 · ‎07-24-2015

If anybody has any thoughts on above ?