05-07-2019 10:39 AM
I can ping my TACACS+ ACS server but with the current configuration via SSH and ACS credentials on my Cisco C891FW-E-K9 (revision 1.0) with (C800-UNIVERSALK9-M), Version 15.5(3)M5, RELEASE SOFTWARE (fc1):
router#ping 1xx.1xx.45.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1xx.1xx.45.12, timeout is 2 seconds:
!!!!!
aaa new-model
aaa group server tacacs+ default
server name tacacs+
aaa authentication login acs-access group tacacs+ local
aaa authorization exec acs-access group tacacs+ if-authenticated
aaa authorization commands 15 acs-access group tacacs+ if-authenticated
aaa accounting commands 15 acs-access start-stop group tacacs+
aaa session-id common
ip tacacs source-interface FastEthernet0
ip access-list standard vty_access
permit 1xx.1xx.0.0 network where ACS is
permit 192.168.0.0 0.0.0.255 network where my computer is
tacacs-server directed-request
tacacs server tacacs+
address ipv4 1xx.1xx.45.12 IP address of TACACS+ server
key 7 105A071C412A1C0C
single-connection
line vty 0 3
access-class vty_access in
privilege level 15
password 7 xxxxxxxxxx
login authentication acs-access
transport preferred none
transport input ssh
I get authentication failed message when entering ACS credentials, but can login with local credentials (second method). Doesn't work with acl vty_access stripped off in line 0 3.
It is working on many routers with an older style of TACACS command tacacs-server host 1xx.1xx.45.13 key 7 ...
Setup on ACS is ok, have replaced working host. TACACS key ok.
This is output from debug aaa authorization and debug aaa authentication:
AAA/BIND(00000418): Bind i/f
AAA/AUTHEN/LOGIN (00000418): Pick method list 'acs-access'
Queuing AAA Authentication request 1048 for processing
login timer started 1020 sec timeout
TPLUS: processing authentication start request id 1048
Authentication start packet created for 1048(marko)
Using server 1xx.1xx.45.12
Started 5 sec timeout
timed out
timed out, clean up
login timer stopped
Processing the reply packet
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: marko] [Source: 192.168.6.64] [localport: 22] [Reason: Login Authentication Failed] at 19:30:21 GMT+1 Tue May 7 2019
Thanks in advance.
Solved! Go to Solution.
05-11-2019 04:28 PM
I see you getting timeout so it seems some connectivity issue. Even though ICMP ping working, it could be asymmetric routing or some others. I would suggest to mirror the interface where ACS connected and perform a package capture.
05-11-2019 04:28 PM
I see you getting timeout so it seems some connectivity issue. Even though ICMP ping working, it could be asymmetric routing or some others. I would suggest to mirror the interface where ACS connected and perform a package capture.
05-12-2019 10:20 AM
Ok. Will try to check that on our firewall if it is properly Nat-ed and reply. Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide