Re: CiscoSecure ACS@solaris 7- Authentication prob with GSR12000

bookman · ‎02-23-2002

Dear all,

I am trying to set aaa on a GSR12000.

CiscoSecure is running on Solaris 7.

My problem is that a get an error message during in the initial authentication process and finally I can only log in with the local db of the router.

Following the error msg:

-----------------------------------------------------

send AUTHEN/START packet ver=192 id=3340634353

Feb 23 19:44:58.945: TAC+: Using default tacacs server list.

Feb 23 19:44:58.945: TAC+: Opening TCP/IP to xxx.xxx.xxx.xxx/49 timeout=5

Feb 23 19:44:58.945: TAC+: Opened TCP/IP handle 0x53CD9720 to xxx.xxx.xxx.xxx/49 using source xxx.xxx.xxx.xxx

Feb 23 19:44:58.945: TAC+: xxx.xxx.xxx.xxx (3340634353) AUTHEN/START/LOGIN/ASCII queued

Feb 23 19:44:59.145: TAC+: (3340634353) AUTHEN/START/LOGIN/ASCII processed

Feb 23 19:44:59.145: TAC+: received bad AUTHEN packet: length = 6, expected 51257

Feb 23 19:44:59.145: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

Feb 23 19:44:59.145: TAC+: Closing TCP/IP 0x53CD9720 connection to xxx.xxx.xxx.xxx/49

-----------------------------------------------------

I can undertand that the msg is saying about the key that is being exchanged between the NAS (GSR12000) and the AAA server, but I have douple checked it and it's correct.

Any ideas ?

Kind regards,

Kostas

jekrauss · ‎02-23-2002

1) I'd triple check it.

2) Change the key to something completely different on both ends. In CSUnix, when you enter the password for the NAS, go back in and make sure that you can see it after you re-initialize the server. Remember, after you change the password, you have to re-initialize the server.

3) Make sure that you are using either a default NAS setting (i.e. for all NAS'es) or specify the NAS. If your secret key on your NAS does not match the secret key for your default NAS in CSUnix, then make sure that in your NAS you are using the ip tacacs source-interface command to ensure that the ip address in the TACACS packet matches the ip address you told CSUnix to expect for that NAS.

HTH

Jeff

bookman · ‎02-23-2002

already done this things

but nothing yet...

:-(

thnx anywayz

:-)

Kostas

jekrauss · ‎02-23-2002

Then configure logging on CSUnix so you can see both sides of the conversation.

If we wish to have debugging information go to /var/log/csuslog, we need to have a line in the top section of CSU.cfg which tells the server how much debugging to do

- 0X7FFFFFFF adds all possible debugging (add or modify this line accordingly):

NUMBER config_logging_configuration = 0x7FFFFFFF;

The following additional line sends the debugging information to local0:

NUMBER config_system_logging_level = 0x80;

Also, modify the /etc/syslog.conf file, by adding the entry:

local0.debug /var/log/csuslog

Then recycle the syslogd to re-read:

kill -HUP `cat /etc/syslog.pid`

Recycle the CiscoSecure server by:

/etc/rc0.d/K80CiscoSecure

/etc/rc2.d/S80CiscoSecure

Then do a tail -f on csuslog while you are also collecting debugs on the NAS. Then compare them.

If you are changing the secret key through a browser on a Unix host, trying changing it from a browser on a Windows machine. Also, just try another browser - although it may look like the correct key is being added, and can be viewed through the GUI, sometimes java can be interesting :)

Jeff

bookman · ‎02-23-2002

Good morning Jeff [yes here in Greece is morning now :-)],

tnx for the tips, I'll try the logging in CSUnix although I know little about Unix, but I'll give it a try.

Something else that I have noticed is that I can't go to the advanced mode in CS if I am not in the UNIX machine. I am able to logon remotely from a workstation (W2K) as superuser by doing http://my_server/cs but when I click on the ADVANCED I get a security error. All other options works fine (AAA, NAS, etc).

Regards,

Kostas