ACS 5.1.0.44.5 telnet doesn't work, ssh does (tacacs authen)

alex.o.kelley · ‎12-15-2010

We recently deployed this version of ACS. Some of our devices don't allow ssh and are currently configured for telnet only. I have a service selection rule say ServiceSelection1 so that if protocol is tacacs to use TacacsAccessPolicy service. For the Identity in TacacsAccessPolicy service, I have first rule to check for specific users (User1, User2) and if the request comes for one of these, to use Internal Users store for authentication. Second rule in the service says if you're not either of these two, go to the RSA server.

The problem I'm running into at this point is that when I try to telnet to one of our devices (regardless of whether it accepts both telnet and ssh, or only telnet), if I enter User1 and the password in the internal user store, authentication fails. If I use the exact same user and pw info, to the same device, but using ssh, I'm fine. In both cases (so telnet and ssh), a user that is not User1 or User2 authenticates fine with RSA.

From ACS logs, I see that when I telnet to a device the user id and password are checked directly against RSA, thus bypassing my first rule which says if you're this user check internal users (you can see the authen failure below). However, when using ssh, ACS sends request to correct identity store and everything works fine. What am I missing? I appreciate ideas/suggestions, thank you.

Failure Reason > Authentication Failure Code Lookup

Failure Reason :

24508 User authentication failed

Generated on:December 15, 2010 11:25:53 AM EST

Description
User authentication against RSA SecurID Server failed

Resolution Steps
Most probably authentication failed because of invalid passcode, for the accurate reason please see RSA SecurID Server logs

Nicolas Darchis · ‎12-15-2010

Can you show exactly your rule that Telnet is missing ? (screenshot)

And can you also show more detail about the failed authentication ?

Nicolas

alex.o.kelley · ‎12-15-2010

Nicolas,

Here are the screen shots (this refers to Access Policies --> Access Services --> TacacsAccessPolicy --> Identity):

Rule 1 expanded (rule 2 is very similar, only there's a "not" and it's using ID_Sequence instead of Internal Users for identity source):

ID_Sequence just has RSA first, then internal users.

When I look at TACACS authentications, I see:

User name: User1

Device name: Device1

NDG: Device Type:All devices:Switches, Location:HDQ

Access Service: TacacsAccessPolicy

Identity Store: [see below]

Identity Group: All Groups:AdminUsers

ACS Server: ACSserver

The only thing different between attempting ssh or telnet in the TACACS authen logs is:

- Internal Users (if I tried logging in with User1 using ssh, which is correct)

- RSAserver (if I tried logging in with User1 but using telnet, and this is incorrect, per my Rule 1 in the screenshots above).

Thank you,

Alex.

alex.o.kelley · ‎12-15-2010

I was able to solve this issue by adding one more rule in the access policy shown in one of the screen shots. This one says if System:UserName equals User1 or User2, use internal users for authentication. Hope this helps other people.