09-08-2012 02:34 AM - edited 03-10-2019 07:31 PM
Hi Guys,
I configured ACS 5.3 and added AAA clients with TACACS+ server and shared secret key as cisco123. i did the below config on switch also. when i try to authenticate login with ACS it does not respond. Find the configuration and debug output.nd
In debug output it gives ruser and rem_addr is null. i did not understand why .
I am able to ping to ACS server and i used telnet 192.x.x.10 49 and it gives the proper output.
aaa new-model
aaa authentication login default group tacacs+ local
!
tacacs-server host 192.168.60.10 key cisco123
tacacs-server directed-request
ip tacacs source-interface Vlan172
line vty 0 4
password cisco
login authentication default
test aaa group tacacs+ admin cisco123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
*Apr 9 21:39:08.550: AAA: parse name=<no string> idb type=-1 tty=-1
*Apr 9 21:39:08.550: AAA/MEMORY: create_user (0x28828B0) user='admin' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Apr 9 21:39:08.550: TAC+: send AUTHEN/START packet ver=192 id=1143081592
*Apr 9 21:39:08.550: TAC+: Using default tacacs server-group "tacacs+" list.
*Apr 9 21:39:08.550: TAC+: Opening TCP/IP to 192.168.60.10/49 timeout=5
*Apr 9 21:39:08.550: TAC+: Opened TCP/IP handle 0x28B9854 to 192.168.60.10/49 using source 172.16.1.4
*Apr 9 21:39:08.550: TAC+: 192.168.60.10 (1143081592) AUTHEN/START/LOGIN/ASCII queued
*Apr 9 21:39:08.751: TAC+: (1143081592) AUTHEN/START/LOGIN/ASCII processed
*Apr 9 21:39:08.751: TAC+: ver=192 id=1143081592 received AUTHEN status = ERROR
*Apr 9 21:39:08.751: TAC+: Closing TCP/IP 0x28B9854 connection to 192.168.60.10/49
*Apr 9 21:39:08.751: TAC+: Using default tacacs server-group "tacacs+" list.
*Apr 9 21:39:08.751: AAA/MEMORY: free_user (0x28828B0) user='admin' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Help in this regard is appriciated.
Looking for reply.
Thanks in advance.
09-08-2012 03:47 AM
problem i found in under access policies > defalult device admin.
It was disable and to work with TACACS+ this should be enable.
09-08-2012 12:48 PM
Hi fazal ,
Glad to Hear That ,
Just one note , the ACS does respond and that clear from the below output :-
*Apr 9 21:39:08.751: TAC+: ver=192 id=1143081592 received AUTHEN status = ERROR
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: