cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
658
Views
10
Helpful
2
Replies

Authenctication error in ACS 5.3

Hi Guys,

I configured ACS 5.3 and added AAA clients with TACACS+ server and shared secret key as cisco123. i did the below config on switch also. when i try to authenticate login with ACS it does not respond. Find the configuration and debug output.nd

In debug output it gives ruser and rem_addr is null. i did not understand why .

I am able to ping to ACS server and i used telnet 192.x.x.10 49 and it gives the proper output.

aaa new-model

aaa authentication login default group tacacs+ local

!

tacacs-server host 192.168.60.10 key cisco123

tacacs-server directed-request

ip tacacs source-interface Vlan172

line vty 0 4

password cisco

login authentication default

test aaa group tacacs+ admin cisco123 legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

*Apr  9 21:39:08.550: AAA: parse name=<no string> idb type=-1 tty=-1

*Apr  9 21:39:08.550: AAA/MEMORY: create_user (0x28828B0) user='admin' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Apr  9 21:39:08.550: TAC+: send AUTHEN/START packet ver=192 id=1143081592

*Apr  9 21:39:08.550: TAC+: Using default tacacs server-group "tacacs+" list.

*Apr  9 21:39:08.550: TAC+: Opening TCP/IP to 192.168.60.10/49 timeout=5

*Apr  9 21:39:08.550: TAC+: Opened TCP/IP handle 0x28B9854 to 192.168.60.10/49 using source 172.16.1.4

*Apr  9 21:39:08.550: TAC+: 192.168.60.10 (1143081592) AUTHEN/START/LOGIN/ASCII queued

*Apr  9 21:39:08.751: TAC+: (1143081592) AUTHEN/START/LOGIN/ASCII processed

*Apr  9 21:39:08.751: TAC+: ver=192 id=1143081592 received AUTHEN status = ERROR

*Apr  9 21:39:08.751: TAC+: Closing TCP/IP 0x28B9854 connection to 192.168.60.10/49

*Apr  9 21:39:08.751: TAC+: Using default tacacs server-group "tacacs+" list.

*Apr  9 21:39:08.751: AAA/MEMORY: free_user (0x28828B0) user='admin' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

Help in this regard is appriciated.

Looking for reply.

Thanks in advance.

2 Replies 2

problem i found in under access policies > defalult device admin.

It was disable and to work with TACACS+ this should be enable.

hkhrais
Beginner
Beginner

Hi fazal ,

Glad to Hear That ,

Just one note , the ACS does respond and that clear from the below output :-

*Apr  9 21:39:08.751: TAC+: ver=192 id=1143081592 received AUTHEN status = ERROR

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers