Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
10
Helpful
3
Replies

ACS 5.0 having issues with different subnet AAA Clients

Muhammad Anser Khan
Level 1
Level 1

‎12-08-2010 01:24 AM - edited ‎03-10-2019 05:38 PM

Dear All,

I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.

I have checked the firewall between them, Its allow any any with all services.

One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.

Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :

Working Switch with Same configuration:

SW-A#test aaa group tacacs+ test cisco legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

SW-A#

*Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1

*Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729

*Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.

*Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5

*Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49

*Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued

SW-A#

*Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed

*Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS

*Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729

*Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued

*Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed

*Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS

*Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

Logs from the same subnet switch (10.1.2.20) which cannot access ACS:

SW-B#test aaa group tacacs+ test cisco legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

SW-B#

*Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1

*Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755

*Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.

*Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5

*Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49

*Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued

SW-B#

*Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed

*Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1

*Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

*Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49

*Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.

*Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

Waiting for your responses.
Regards,
Anser

Labels:
0 Helpful
3 Replies 3

Tiago Antunes
Cisco Employee
Cisco Employee

‎12-08-2010 02:04 AM

Hi,

this looks a routing issue to me...

Can you ping the ACS from the switches?

Can you ping other devices on the same subnet of the ACS rom the switches?

If not then it is for sure some routing problem on your network and i would do a traceroute to see where the routing is failing.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Muhammad Anser Khan
Level 1
Level 1
In response to Tiago Antunes

‎12-08-2010 02:23 AM

Forgot to mention that ACS can ping all the switches in same or different subnets.

Even I can telnet on port 49 from the switch to the ACS. All are working fine.

Regards,

Anser

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to Muhammad Anser Khan

‎12-08-2010 02:29 AM

Ok, cool,

So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.

I would guess that the ACS is reporting unknown NAS...

Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Customers Also Viewed These Support Documents