Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
215
Views
0
Helpful
9
Replies

Cisco ACS + TACACS is not working for ASR1001

mothukuri
Level 1
Level 1

‎06-18-2024 08:52 AM

Hi Experts ,

I am new to Cisco ACS .TACACS is configured on ASR routers and we have necessary config done on Cisco ACS.

I would like to check command to see which ports are opened and also reason for authentication failures on ASR1001.

When i tried to do telnet ACS ip with port 49 , connection was refused .Does it means services are not running on Cisco ACS ?

ACS has 5.8.0 .

telnet 10.41.29.20 49
Trying 10.41.29.20...
Connected to 10.41.29.20.
Escape character is '^]'.
Connection closed by foreign host.

 

 

Labels:
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎06-18-2024 08:57 AM

you need to add below 


line vty 0 4
login 
password < > 
input transport telnet 
!
username <> password <>
!
enable password <>  <<<<<<- this mandatory please dont forget this password 

then try access 

0 Helpful

mothukuri
Level 1
Level 1
In response to MHM Cisco World

‎06-18-2024 09:30 AM

we have below config on ASR1001 and its not accessible using TACACS credentials.

I would like to know the command to check which ports are opened on Cisco ACS other than "show ports " and also why are we getting "Connection closed by foreign host" when I tried telnet 10.41.29.20 49 from one of the Switch which is in the same subnet range.

aaa group server tacacs+ TACACS
server name ACS1
server name ACS2
server name ACS3
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login default group TACACS local
aaa authentication login VTYAUTHENT group TACACS local
aaa authentication login CONAUTHENT group TACACS local
aaa authentication login console local
aaa authentication enable default group TACACS enable
aaa authorization console
aaa authorization exec default if-authenticated
aaa authorization exec VTYAUTHOR group TACACS local
aaa authorization exec CONAUTHOR group TACACS local
aaa authorization commands 15 default group TACACS local
aaa accounting exec default stop-only group TACACS
aaa accounting commands 15 default stop-only group TACACS

tacacs-server directed-request
tacacs server ACS1
address ipv4 10.41.29.20
key XXXXXXXXXXXX
timeout 2
tacacs server ACS2
address ipv4 10.31.47.46
key XXXXXXXXXXX

line con 0
authorization exec VTYAUTHOR
stopbits 1

line vty 0 4
exec-timeout 30 0
authorization exec VTYAUTHOR
logging synchronous
login authentication VTYAUTHENT
transport preferred ssh
transport input ssh

 

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to mothukuri

‎06-18-2024 09:36 AM

the transport is ssh and you try telent so you need to make vty accept both 
transport input ssh telnet <<- only this need

MHM

 

0 Helpful

mothukuri
Level 1
Level 1
In response to MHM Cisco World

‎06-18-2024 09:44 AM

I am checking whether port 49 is opened on Cisco ACS end using telnet 10.41.29.20 49 , its not for logging into Cisco ACS.Hope you got my point.

On windows /Linux usually we will check ports opened using telnet server ip and port number right.

is there any way to check port 49 is running on Cisco ACS from Cli

0 Helpful

MHM Cisco World
VIP
VIP
In response to mothukuri

‎06-18-2024 09:47 AM

you want to access to ASR or check if port is open ? you post is about how we can access to ASR not to check port open or not
MHM

0 Helpful

mothukuri
Level 1
Level 1
In response to MHM Cisco World

‎06-18-2024 09:54 AM

main problem is that console credentials are not working to change the config on ASR1001.We are working on TACACS issue and noticed that credentials are not working while logging into ASR1001.Firewall team has confirmed that policy is opened on the firewall and no issues from their end.They have asked me to check whether port 49 is working and also required services are working on Cisco ACS or not .Need guidance from Experts of Cisco ACS to isolate the problem from Cisco ACS end before pinching firewall team again.

0 Helpful

mothukuri
Level 1
Level 1

‎06-18-2024 09:56 AM

firewall  engineer had tried to check connection of Cisco ACS on port 49 from firewall itself but its getting closed immediately .

0 Helpful

MHM Cisco World
VIP
VIP
In response to mothukuri

‎06-18-2024 10:31 AM

You config ASR to accept only ssh and you use telnet sure ASR is close connect.

Also both ssh and telnet not use port 49!!

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎06-18-2024 10:57 AM

this lab for you
there are many log error message appear 
I list the three common 
1- there is ACL drop the connection, you can see destination unreachable, meaning there is ACL OR FW drop the tcp connect
2- you can access to device but the password is wrong, here if device ask for password then you can access to device but the passowrd OR ISE (AAA) is wrong or missing 
3- closed by foreign host , this when you dont config the device for telnet 

Screenshot (757).pngScreenshot (758).png

0 Helpful
Customers Also Viewed These Support Documents