Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
5
Replies

authentication failure using ACS

okishare10
Level 1
Level 1

‎04-21-2005 12:16 AM - edited ‎03-10-2019 02:07 PM

I'm making a network using ACS in my lab and authentication fails when I telnet from a user(H1) to a router(c3845). Please look at below.

What I did is, configured VPN between c3845 and c3640.I confirmed that VPN is working.

Setup H1 as an user and c3845 as a AAA client on ACS.

Authentication protocol which I'm using is tacacs+.

When I telnet from H1 to c3845, "% Authentication failed" message appears and the session disconnects.

Am I missing something?

Please somebody give me an advice.

topology and ip address.

fa --GE0/1-GE0/0-------fa0/0-fa1/0--fa

| ACS |---|c3845 |--| VPN |--|c3640 |--| H1 |

+---------+-----------+------------------+

| device | interface | ip address |

+---------+-----------+------------------+

| ACS | fa | 192.168.0.15/24 |

+---------+-----------+------------------+

| c3845 | GE0/1 | 192.168.0.220/24 |

+ +-----------+------------------+

| | GE0/1 | 1.1.1.1/8 |

+---------+-----------+------------------+

| c3640 | fa0/0 | 1.1.1.2/8 |

+ +-----------+------------------+

| | fa1/0 | 172.26.0.1/24 |

+---------+-----------+------------------+

| H1(host)| fa | 172.26.0.2/24 |

+---------+-----------+------------------+

configuration of c3845

========================================

c3845#sh running-config

Building configuration...

Current configuration : 3432 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname c3845

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

username xxx privilege 15 secret xxxx

aaa new-model

!

!

aaa authentication login default group tacacs+

aaa session-id common

ip subnet-zero

ip cef

!

!

!

!

ip domain name yourdomain.com

ip ips po max-events 100

no ftp-server write-enable

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key 6 ciscovpn address 1.1.1.2

!

!

crypto ipsec transform-set TS-Basic esp-3des esp-sha-hmac

!

crypto map MAP-Basic 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set TS-Basic

match address 150

!

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 1.1.x.x.0.0.0

duplex auto

speed auto

media-type rj45

crypto map MAP-Basic

!

interface GigabitEthernet0/1

ip address 192.168.0.220 255.255.255.0

duplex auto

speed auto

media-type rj45

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.2

ip route 172.26.0.0 255.255.0.0 1.1.1.2

!

!

ip http server

ip http authentication local

ip http secure-server

!

access-list 150 permit ip 192.168.0.0 0.0.255.255 172.26.0.0 0.0.255.255

!

!

!

tacacs-server host 192.168.0.15

tacacs-server directed-request

tacacs-server key xxx

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line 66

no activation-character

no exec

transport preferred none

transport input all

transport output all

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Labels:
0 Helpful
5 Replies 5

sandjose
Cisco Employee
Cisco Employee

‎04-21-2005 03:10 AM

If you need to telnet to a router using the username and password from the tacacs.

you need to have the service type admin attribute returned from tacacs.Also you need to have the device accept the overide values.

eg :

All users who want to log in to the Router have to be authorized using tacacs

configure:

aaa authorization exec default group tacacs

On the AAA server, Service-Type=6 (ADMIN) must be selected.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sandjose

‎04-21-2005 09:48 AM

It is my understanding that if you want the user to go directly into privilege level 15 when they login, then you need aaa authorization. But for simple login authentication I do not believe that it is needed. And that seems to be the question right now.

Also when I configure a router to use aaa and TACACS I think it is wise to always configure a secondary method to use in case TACACS is not able to respond. for authorization I like to use the if-authenticated method as a backup. For authentication I like to use line, or local (and I see a number of people who use enable - though I do not like that one myself as a backup for login authentication).

As for the original question: does the TACACXS server see the authentication request? If it is seeing the request and not authenticating there should be an entry in the Failed Attempts report. If there is an entry in the Failed Attempts report it should give an indication of what was wrong (could be unknown device if the ACS client configuration was not right, or could be invalid key if the server key and the router key are not matching, or could be invalid password, etc).

If there is not an entry in the Failed Attempts report then you should investigate why the server is not seeing the request from the router. You should investigate to be sure that there is connectivity (by doing a ping perhaps) and that the address configured on the router for the server is the address that the server is using.

HTH

Rick

HTH

Rick
0 Helpful

sandjose
Cisco Employee
Cisco Employee
In response to Richard Burts

‎04-21-2005 08:35 PM

Well,

you said u get ""% Authentication failed" message appears and the session disconnects ".

This shows the request is reaching the tacacs .Could you verify what is reason for this authentication faiure. It could be because you must have disabled some authention protocols ??.

just verify from the logs what is missing and why ACS is rejecting the request

0 Helpful

okishare10
Level 1
Level 1
In response to Richard Burts

‎04-21-2005 09:18 PM

Thank you for replying my question Rick.

>As for the original question: does the TACACXS server see the authentication request?

I used debug tacacs authentication, packet, event and aaa authentication commmand to see whether the server was seeing the authentication request or not.

There was a "received bad AUTHEN packet"message so the server was seeing the authentication request. After that message, there was a "Invalid AUTHEN packet (check keys)" so this indicates the key which I configured was wrong. I checked the server and router key but both were the same. I reconfigured the keys again, telnet from H1 to router.

Now there was no "Authentication failed" message but the prompt of "Username:".

Type in the username and password. It worked.

I should have used the debug command eariler.

After troubleshooting, configured the secondary method which you mentinoed.

Used authentication local and it worked so don't need to password recover anymore.

Thanks for the good advices.

Taichi

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to okishare10

‎04-22-2005 04:42 AM

Taichi

I am glad that you were able to get your issue resolved. Using debug is frequently a very good way to identify a problem and you chose a good set of debugs to run based on the symptoms that you were experiencing. You probably could also have identified the problem from the Failed Attempts report in ACS.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents