02-26-2003 03:55 PM - edited 03-10-2019 07:10 AM
I am trying to set up login authentication on my Cisco routers to use SecurID tokens. When I try to login into the router it uses the line password in the authentication list I specified instead of using the TACACS+/SecurId method specified in the list. Here is the config:
aaa new-model
aaa authentication login default group tacacs+ line enable
aaa authentication login securid group tacacs+ line
aaa authentication login securid2 group tacacs+ line
tacacs-server host 172.16.0.8
tacacs-server timeout 120
tacacs-server key abc123
line vty 0 4
password 7 021216520A010A
login authentication securid
When I run a debug it shows this:
01:48:39: AAA/MEMORY: free_user (0x6227C4D4) user='NULL' ruser='NULL' port='tty2
26' rem_addr='172.16.0.12' authen_type=ASCII service=LOGIN priv=1
01:48:41: AAA: parse name=tty226 idb type=-1 tty=-1
01:48:41: AAA: name=tty226 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=226 c
hannel=0
01:48:41: AAA/MEMORY: create_user (0x61F02298) user='NULL' ruser='NULL' ds0=0 po
rt='tty226' rem_addr='172.16.0.12' authen_type=ASCII service=LOGIN priv=1 initia
l_task_id='0'
01:48:41: AAA/AUTHEN/START (2749438961): port='tty226' list='securid' action=LOG
IN service=LOGIN
01:48:41: AAA/AUTHEN/START (2749438961): found list securid
01:48:41: AAA/AUTHEN/START (2749438961): Method=tacacs+ (tacacs+)
01:48:41: TAC+: send AUTHEN/START packet ver=192 id=2749438961
01:48:41: AAA/AUTHEN (2749438961): status = ERROR
01:48:41: AAA/AUTHEN/START (2749438961): Method=LINE
01:48:41: AAA/AUTHEN (2749438961): status = GETPASS
01:48:43: AAA/AUTHEN/CONT (2749438961): continue_login (user='(undef)')
01:48:43: AAA/AUTHEN (2749438961): status = GETPASS
01:48:43: AAA/AUTHEN/CONT (2749438961): Method=LINE
01:48:43: AAA/AUTHEN (2749438961): status = PASS
01:48:45: AAA/MEMORY: dup_user (0x6227D3F0) user='NULL' ruser='NULL' port='tty22
6' rem_addr='172.16.0.12' authen_type=ASCII service=ENABLE priv=15 source='AAA d
up enable'
01:48:45: AAA/AUTHEN/START (3226961835): port='tty226' list='' action=LOGIN serv
ice=ENABLE
01:48:45: AAA/AUTHEN/START (3226961835): non-console enable - default to enable
password
01:48:45: AAA/AUTHEN/START (3226961835): Method=ENABLE
01:48:45: AAA/AUTHEN (3226961835): status = GETPASS
01:48:47: AAA/AUTHEN/CONT (3226961835): continue_login (user='(undef)')
01:48:47: AAA/AUTHEN (3226961835): status = GETPASS
01:48:47: AAA/AUTHEN/CONT (3226961835): Method=ENABLE
01:48:47: AAA/AUTHEN (3226961835): status = PASS
01:48:47: AAA/MEMORY: free_user (0x6227D3F0) user='NULL' ruser='NULL' port='tty2
26' rem_addr='172.16.0.12' authen_type=ASCII service=ENABLE priv=15
Notice the lines:
01:48:41: AAA/AUTHEN/START (2749438961): port='tty226' list='securid' action=LOG
IN service=LOGIN
01:48:41: AAA/AUTHEN/START (2749438961): found list securid
01:48:41: AAA/AUTHEN/START (2749438961): Method=tacacs+ (tacacs+)
01:48:41: TAC+: send AUTHEN/START packet ver=192 id=2749438961
01:48:41: AAA/AUTHEN (2749438961): status = ERROR
Does anyone know what this "status=ERROR" error might indicate? What am I missing here and how can I fix it. Any help would be great. I am running ACE Server 4.1 using FOB tokens.
02-26-2003 09:01 PM
ERROR means the tacacs server is not responding to the router. Or there is a communication issue between router and tacacs server. So next method "line" for scheme secureid tried. So
can you ping the tacacs server from router?
is tacacs server configured correctly?
Try to run the debug for "debug tacacs" to see what exactly happened there.
02-27-2003 07:08 AM
I can ping the TACACS server from the ACE server. Both the router and the server are on the same subnet connected by a catalyst 2924XL switch. If I were going to set up Securid authentication, would this config on the router work? Just want a second set of eyes to see if there is anything I have missed. I will run the TACACS debug to see whats going on and paste the output here. Any information you have on setting up Securid authentication on Ciscos would be great as well. Thanks.
02-27-2003 03:59 PM
Router config will be the same. You just need to configure the ACS tacacs server to talk to ACE server so that all the authentication requests coming in from router will be forwarded to ACE server via ACS tacacs server.
For router's prospective, it is talking to tacacs.
Here is the good link for ACS config to talk to ACE server for login access etc.
http://www.cisco.com/warp/public/480/csntsdi.html
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/9_token.htm
02-27-2003 05:39 PM
So is there no way to have the router talk directly to the ACE Server? Thanks for your help with this. The link is great!!
02-27-2003 06:19 PM
So I ran TACACS debug and tried to log into one of the VTY lines. Here is the output from the debug:
1d04h: TAC+: send AUTHEN/START packet ver=192 id=1656593371
1d04h: TAC+: Using default tacacs server-group "tacacs+" list.
1d04h: TAC+: Opening TCP/IP to 172.16.0.8/49 timeout=120
1d04h: TAC+: TCP/IP open to 172.16.0.8/49 failed -- Connection refused by remote
host
Looks like the ACE server is flat refusing the connection. I am using ACE Server 4.1. Is there no TACACS+ protocol support in this version. We used to do this a long time ago with what I thought was just the ACE Server. Is there another TACACS+ server I need to add to the already running ACE Server. I thought there was a way to do this with just the ACE Server setup. Thanks again for your help.
02-27-2003 09:22 PM
My bet..I thought you have Cisco Secure ACS server and ACE..
YES, you can connect SecureID ACE server directly to a router as it supports TACACS too. So router and ACE server will talk TACACS. But looking on the debug the tcp connection from router to ace server failed so it may not have tacacs support.
Latest SDI ACE server (ver 5.x) support TACACS protocol. Not sure for 4.1. You can visit their website for more.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide