Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2596
Views
5
Helpful
2
Replies

Cannot login to router via ACS

Go to solution
markomit81
Level 1
Level 1

‎05-07-2019 10:39 AM

I can ping my TACACS+ ACS server but with the current configuration via SSH and ACS credentials on my Cisco C891FW-E-K9 (revision 1.0) with (C800-UNIVERSALK9-M), Version 15.5(3)M5, RELEASE SOFTWARE (fc1):

 

router#ping 1xx.1xx.45.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1xx.1xx.45.12, timeout is 2 seconds:
!!!!!

 

aaa new-model

aaa group server tacacs+ default

 server name tacacs+

aaa authentication login acs-access group tacacs+ local

aaa authorization exec acs-access group tacacs+ if-authenticated

aaa authorization commands 15 acs-access group tacacs+ if-authenticated

aaa accounting commands 15 acs-access start-stop group tacacs+

 

aaa session-id common

ip tacacs source-interface FastEthernet0

ip access-list standard vty_access

 permit 1xx.1xx.0.0                                                               network where ACS is 

 permit 192.168.0.0 0.0.0.255                                               network where my computer is                                     

 

tacacs-server directed-request

tacacs server tacacs+

 address ipv4 1xx.1xx.45.12                                                       IP address of TACACS+ server

 key 7 105A071C412A1C0C

 single-connection

 

line vty 0 3

access-class vty_access in

privilege level 15

 password 7 xxxxxxxxxx

 login authentication acs-access

 transport preferred none

 transport input ssh

 

I get authentication failed message when entering ACS credentials, but can login with local credentials (second method). Doesn't work with acl vty_access stripped off in line 0 3. 

 

It is working on many routers with an older style of TACACS command tacacs-server host 1xx.1xx.45.13 key 7 ...
Setup on ACS is ok, have replaced working host. TACACS key ok. 

 

This is output from debug aaa authorization and debug aaa authentication:

AAA/BIND(00000418): Bind i/f 

AAA/AUTHEN/LOGIN (00000418): Pick method list 'acs-access'

Queuing AAA Authentication request 1048 for processing

login timer started 1020 sec timeout

TPLUS: processing authentication start request id 1048

Authentication start packet created for 1048(marko)

Using server 1xx.1xx.45.12

Started 5 sec timeout

timed out

timed out, clean up

login timer stopped

Processing the reply packet

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: marko] [Source: 192.168.6.64] [localport: 22] [Reason: Login Authentication Failed] at 19:30:21 GMT+1 Tue May 7 2019

 

Thanks in advance. 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-11-2019 04:28 PM

I see you getting timeout so it seems some connectivity issue. Even though ICMP ping working, it could be asymmetric routing or some others. I would suggest to mirror the interface where ACS connected and perform a package capture.

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-11-2019 04:28 PM

I see you getting timeout so it seems some connectivity issue. Even though ICMP ping working, it could be asymmetric routing or some others. I would suggest to mirror the interface where ACS connected and perform a package capture.

Go to solution
markomit81
Level 1
Level 1
In response to hslai

‎05-12-2019 10:20 AM

Ok. Will try to check that on our firewall if it is properly Nat-ed and reply. Thank you

0 Helpful
Customers Also Viewed These Support Documents