ACS 4.1 Authentication Issues (New Code vs. Legacy)

Neil.Barnett · ‎04-03-2013

Hi, i'm getting inconsistent results on a old ACS 4.1 Platform. (Able to Log in the Device via Telnet not via Console). In doing some investigation with an engineer we were able to determine that the ACS Server 4.1 is reject new-code and works with legacy. How can i force legacy group tacacs+ to work (via cli configuration or acs configuration ) all the time, or get the ACS Server to accept New-Code via configuration. here's some results of our testing

User Rejected when using New Code

t01rs02#test aaa group tacacs+ testlogin testclient new-code

User rejected

t01rs02#

*Apr 3 18:54:28.887: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default

User Accepted when using Legacy

t01rs02#test aaa group tacacs+ testlogin testclient legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

t01rs02#

*Apr 3 18:57:27.275: AAA: parse name=<no string> idb type=-1 tty=-1

*Apr 3 18:57:27.275: AAA/MEMORY: create_user (0x52B805F8) user='testlogin' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Apr 3 18:57:27.275: TAC+: send AUTHEN/START packet ver=192 id=3482083154

*Apr 3 18:57:27.275: TAC+: Opening TCP/IP to 10.2.7.153/49 timeout=5

*Apr 3 18:57:27.279: TAC+: Opened TCP/IP handle 0x52BABC78 to 10.2.7.153/49 using source 10.2.15.3

*Apr 3 18:57:27.279: TAC+: periodic timer started

*Apr 3 18:57:27.279: TAC+: 10.2.7.153 req=52B99BB8 Qd id=3482083154 ver=192 handle=0x52BABC78 expire=5 AUTHEN/START/LOGIN/ASCII queued

*Apr 3 18:57:27.379: TAC+: 10.2.7.153 id=3482083154 wrote 29 of 29 bytes

*Apr 3 18:57:27.379: TAC+: 10.2.7.153 req=52B99BB8 Qd id=3482083154 ver=192 handle=0x52BABC78 expire=4 AUTHEN/START/LOGIN/ASCII sent

*Apr 3 18:57:27.479: TAC+: 10.2.7.153 read=12 wanted=12 alloc=12 got=12

*Apr 3 18:57:27.479: TAC+: 10.2.7.153 read=28 wanted=28 alloc=28 got=16

*Apr 3 18:57:27.479: TAC+: 10.2.7.153 received 28 byte reply for 52B99BB8

*Apr 3 18:57:27.479: TAC+: req=52B99BB8 Tx id=3482083154 ver=192 handle=0x52BABC78 expire=4 AUTHEN/START/LOGIN/ASCII processed

*Apr 3 18:57:27.479: TAC+: periodic timer stopped (queue empty)

*Apr 3 18:57:27.479: TAC+: ver=192 id=3482083154 received AUTHEN status = GETPASS

*Apr 3 18:57:27.479: TAC+: send AUTHEN/CONT packet id=3482083154

*Apr 3 18:57:27.479: TAC+: periodic timer started

*Apr 3 18:57:27.479: TAC+: 10.2.7.153 req=52B99BB8 Qd id=3482083154 ver=192 handle=0x52BABC78 expire=5 AUTHEN/CONT queued

*Apr 3 18:57:27.579: TAC+: 10.2.7.153 id=3482083154 wrote 27 of 27 bytes

*Apr 3 18:57:27.579: TAC+: 10.2.7.153 req=52B99BB8 Qd id=3482083154 ver=192 handle=0x52BABC78 expire=4 AUTHEN/CONT sent

*Apr 3 18:57:27.779: TAC+: 10.2.7.153 read=12 wanted=12 alloc=12 got=12

*Apr 3 18:57:27.779: TAC+: 10.2.7.153 read=18 wanted=18 alloc=18 got=6

*Apr 3 18:57:27.779: TAC+: 10.2.7.153 received 18 byte reply for 52B99BB8

*Apr 3 18:57:27.779: TAC+: req=52B99BB8 Tx id=3482083154 ver=192 handle=0x52BABC78 expire=4 AUTHEN/CONT processed

*Apr 3 18:57:27.779: TAC+: periodic timer stopped (queue empty)

*Apr 3 18:57:27.779: TAC+: ver=192 id=3482083154 received AUTHEN status = PASS

*Apr 3 18:57:27.779: AAA/MEMORY: free_user (0x52B805F8) user='testlogin' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

Here's our pertinent TACACS+ Configuration Info

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

!

aaa session-id common

tacacs-server host 10.2.7.153

tacacs-server directed-request

radius-server source-ports 1645-1646

!

control-plane

!

dial-peer cor custom

!

line con 0

exec-timeout 0 0

transport preferred none

line vty 0 4

exec-timeout 0 0

transport input telnet ssh

line vty 5 15

exec-timeout 0 0

transport input telnet ssh

!

no cns aaa enable

Can anyone give me some insight into solving this vexing issue.