cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2985
Views
0
Helpful
3
Replies
Highlighted
Beginner

ACS 5.1.0.44.5 telnet doesn't work, ssh does (tacacs authen)

We recently deployed this version of ACS. Some of our devices don't allow ssh and are currently configured for telnet only. I have a service selection rule say ServiceSelection1 so that if protocol is tacacs to use TacacsAccessPolicy service. For the Identity in TacacsAccessPolicy service, I have first rule to check for specific users (User1, User2) and if the request comes for one of these, to use Internal Users store for authentication. Second rule in the service says if you're not either of these two, go to the RSA server.

The problem I'm running into at this point is that when I try to telnet to one of our devices (regardless of whether it accepts both telnet and ssh, or only telnet), if I enter User1 and the password in the internal user store, authentication fails. If I use the exact same user and pw info, to the same device, but using ssh, I'm fine. In both cases (so telnet and ssh), a user that is not User1 or User2 authenticates fine with RSA.

From ACS logs, I see that when I telnet to a device the user id and password are checked directly against RSA, thus bypassing my first rule which says if you're this user check internal users (you can see the authen failure below). However, when using ssh, ACS sends request to correct identity store and everything works fine. What am I missing? I appreciate ideas/suggestions, thank you.

Failure Reason > Authentication Failure Code Lookup
Failure Reason :
24508 User authentication failed
Generated on:December 15, 2010 11:25:53 AM EST
Description
User authentication against RSA SecurID Server failed
Resolution Steps
Most probably authentication failed because of invalid passcode, for the accurate reason please see RSA SecurID Server logs

Everyone's tags (4)
3 REPLIES 3
Highlighted
Cisco Employee

Re: ACS 5.1.0.44.5 telnet doesn't work, ssh does (tacacs authen)

Can you show exactly your rule that Telnet is missing ? (screenshot)

And can you also show more detail about the failed authentication ?

Nicolas

Highlighted
Beginner

Re: ACS 5.1.0.44.5 telnet doesn't work, ssh does (tacacs authen)

Nicolas,

Here are the screen shots (this refers to Access Policies --> Access Services --> TacacsAccessPolicy --> Identity):

Rule 1 expanded (rule 2 is very similar, only there's a "not" and it's using ID_Sequence instead of Internal Users for identity source):

ID_Sequence just has RSA first, then internal users.

When I look at TACACS authentications, I see:

User name: User1

Device name: Device1

NDG: Device Type:All devices:Switches, Location:HDQ

Access Service: TacacsAccessPolicy

Identity Store: [see below]

Identity Group: All Groups:AdminUsers

ACS Server: ACSserver

The only thing different between attempting ssh or telnet in the TACACS authen logs is:

- Internal Users (if I tried logging in with User1 using ssh, which is correct)

- RSAserver (if I tried logging in with User1 but using telnet, and this is incorrect, per my Rule 1 in the screenshots above).

Thank you,

Alex.

Highlighted
Beginner

Re: ACS 5.1.0.44.5 telnet doesn't work, ssh does (tacacs authen)

I was able to solve this issue by adding one more rule in the access policy shown in one of the screen shots. This one says if System:UserName equals User1 or User2, use internal users for authentication. Hope this helps other people.