Configuring Cisco Login Authentication to use RSA/ACE Server SecurID Tokens

rfranzke · ‎02-26-2003

I am trying to set up login authentication on my Cisco routers to use SecurID tokens. When I try to login into the router it uses the line password in the authentication list I specified instead of using the TACACS+/SecurId method specified in the list. Here is the config:

aaa new-model

aaa authentication login default group tacacs+ line enable

aaa authentication login securid group tacacs+ line

aaa authentication login securid2 group tacacs+ line

tacacs-server host 172.16.0.8

tacacs-server timeout 120

tacacs-server key abc123

line vty 0 4

password 7 021216520A010A

login authentication securid

When I run a debug it shows this:

01:48:39: AAA/MEMORY: free_user (0x6227C4D4) user='NULL' ruser='NULL' port='tty2

26' rem_addr='172.16.0.12' authen_type=ASCII service=LOGIN priv=1

01:48:41: AAA: parse name=tty226 idb type=-1 tty=-1

01:48:41: AAA: name=tty226 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=226 c

hannel=0

01:48:41: AAA/MEMORY: create_user (0x61F02298) user='NULL' ruser='NULL' ds0=0 po

rt='tty226' rem_addr='172.16.0.12' authen_type=ASCII service=LOGIN priv=1 initia

l_task_id='0'

01:48:41: AAA/AUTHEN/START (2749438961): port='tty226' list='securid' action=LOG

IN service=LOGIN

01:48:41: AAA/AUTHEN/START (2749438961): found list securid

01:48:41: AAA/AUTHEN/START (2749438961): Method=tacacs+ (tacacs+)

01:48:41: TAC+: send AUTHEN/START packet ver=192 id=2749438961

01:48:41: AAA/AUTHEN (2749438961): status = ERROR

01:48:41: AAA/AUTHEN/START (2749438961): Method=LINE

01:48:41: AAA/AUTHEN (2749438961): status = GETPASS

01:48:43: AAA/AUTHEN/CONT (2749438961): continue_login (user='(undef)')

01:48:43: AAA/AUTHEN (2749438961): status = GETPASS

01:48:43: AAA/AUTHEN/CONT (2749438961): Method=LINE

01:48:43: AAA/AUTHEN (2749438961): status = PASS

01:48:45: AAA/MEMORY: dup_user (0x6227D3F0) user='NULL' ruser='NULL' port='tty22

6' rem_addr='172.16.0.12' authen_type=ASCII service=ENABLE priv=15 source='AAA d

up enable'

01:48:45: AAA/AUTHEN/START (3226961835): port='tty226' list='' action=LOGIN serv

ice=ENABLE

01:48:45: AAA/AUTHEN/START (3226961835): non-console enable - default to enable

password

01:48:45: AAA/AUTHEN/START (3226961835): Method=ENABLE

01:48:45: AAA/AUTHEN (3226961835): status = GETPASS

01:48:47: AAA/AUTHEN/CONT (3226961835): continue_login (user='(undef)')

01:48:47: AAA/AUTHEN (3226961835): status = GETPASS

01:48:47: AAA/AUTHEN/CONT (3226961835): Method=ENABLE

01:48:47: AAA/AUTHEN (3226961835): status = PASS

01:48:47: AAA/MEMORY: free_user (0x6227D3F0) user='NULL' ruser='NULL' port='tty2

26' rem_addr='172.16.0.12' authen_type=ASCII service=ENABLE priv=15

Notice the lines:

01:48:41: AAA/AUTHEN/START (2749438961): port='tty226' list='securid' action=LOG

IN service=LOGIN

01:48:41: AAA/AUTHEN/START (2749438961): found list securid

01:48:41: AAA/AUTHEN/START (2749438961): Method=tacacs+ (tacacs+)

01:48:41: TAC+: send AUTHEN/START packet ver=192 id=2749438961

01:48:41: AAA/AUTHEN (2749438961): status = ERROR

Does anyone know what this "status=ERROR" error might indicate? What am I missing here and how can I fix it. Any help would be great. I am running ACE Server 4.1 using FOB tokens.

tepatel · ‎02-26-2003

ERROR means the tacacs server is not responding to the router. Or there is a communication issue between router and tacacs server. So next method "line" for scheme secureid tried. So

can you ping the tacacs server from router?

is tacacs server configured correctly?

Try to run the debug for "debug tacacs" to see what exactly happened there.

rfranzke · ‎02-27-2003

I can ping the TACACS server from the ACE server. Both the router and the server are on the same subnet connected by a catalyst 2924XL switch. If I were going to set up Securid authentication, would this config on the router work? Just want a second set of eyes to see if there is anything I have missed. I will run the TACACS debug to see whats going on and paste the output here. Any information you have on setting up Securid authentication on Ciscos would be great as well. Thanks.

tepatel · ‎02-27-2003

Router config will be the same. You just need to configure the ACS tacacs server to talk to ACE server so that all the authentication requests coming in from router will be forwarded to ACE server via ACS tacacs server.

For router's prospective, it is talking to tacacs.

Here is the good link for ACS config to talk to ACE server for login access etc.

http://www.cisco.com/warp/public/480/csntsdi.html

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/9_token.htm

rfranzke · ‎02-27-2003

So is there no way to have the router talk directly to the ACE Server? Thanks for your help with this. The link is great!!

rfranzke · ‎02-27-2003

So I ran TACACS debug and tried to log into one of the VTY lines. Here is the output from the debug:

1d04h: TAC+: send AUTHEN/START packet ver=192 id=1656593371

1d04h: TAC+: Using default tacacs server-group "tacacs+" list.

1d04h: TAC+: Opening TCP/IP to 172.16.0.8/49 timeout=120

1d04h: TAC+: TCP/IP open to 172.16.0.8/49 failed -- Connection refused by remote

host

Looks like the ACE server is flat refusing the connection. I am using ACE Server 4.1. Is there no TACACS+ protocol support in this version. We used to do this a long time ago with what I thought was just the ACE Server. Is there another TACACS+ server I need to add to the already running ACE Server. I thought there was a way to do this with just the ACE Server setup. Thanks again for your help.

tepatel · ‎02-27-2003

My bet..I thought you have Cisco Secure ACS server and ACE..

YES, you can connect SecureID ACE server directly to a router as it supports TACACS too. So router and ACE server will talk TACACS. But looking on the debug the tcp connection from router to ace server failed so it may not have tacacs support.

Latest SDI ACE server (ver 5.x) support TACACS protocol. Not sure for 4.1. You can visit their website for more.