01-30-2012 05:42 AM - edited 03-10-2019 06:46 PM
I have installed CiscoSecure ACS 4.2 on Windows.
Can anyone help me setting up the server for Tacacs+.
I am new to Tacacs+.
I have to deploy Tacacs+ on almost 50 switches.
01-30-2012 07:34 PM
Hi Ummer,
Here is the Cisco document for Tacacs+ configuration.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml#h
Regards,
Anton
01-31-2012 05:12 PM
Hi,
Thanks for helping me out, I ve set up switches, infact i know the command of aaa with the switches.
I wanted to know about Tacacs+ Server on Windows, how to configure it ?
02-01-2012 12:51 PM
02-01-2012 05:37 PM
Thanks for your time and help.
I want to ask something, does Tacacs+ server run on Windows 7 ?
I used these equipments for the basic scenario.
Win 7 - Tacacs+ Server (CiscoSecure ACS 4.2)
Win Xp - a user
Catalyst 3550 Switch
I made a simple setup of making my laptop (Win 7) as Tacacs+ server, connecting it to the switch ethernet port.
Then i connected another (win xp) laptop of same IP class to the switch. Both Laptops were pingable to eachother via switch.
Now i gave these commands on the switch
aaa new-model
tacacs-server host 172.16.11.15 key ummer123
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
user admin password admin
aaa authentication login console none
Line console 0
login authentication console
I was told to implement above commands as I am new to this.
Now when i telnet my switch from (Win xp) Laptop, it asks Username and Password. But it only accept admin admin as user & pass respectively.
I created users in the Tacacs+ server but i dont think it is communicating.
What could be the fault ? Are my commands correct ?
Plz Reply !
Thanks.
02-02-2012 04:07 PM
Here is my Switch configuration related to AAA
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization exec default group tacacs+ none
!
aaa session-id common
!
username admin password 0 admin
!
!
no ip http server
no ip http secure-server
!
tacacs-server host 192.168.32.129 key ummer123
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication console
After Debug aaa authentication and debug tacacs authentication
i got these messages on switch
Mar 1 00:52:45.867: AAA/BIND(0000000F): Bind i/f
*Mar 1 00:52:45.871: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'default'
*Mar 1 00:52:45.879: TPLUS: Queuing AAA Authentication request 15 for processing
*Mar 1 00:52:45.883: TPLUS: processing authentication start request id 15
*Mar 1 00:52:45.883: TPLUS: Authentication start packet created for 15()
*Mar 1 00:52:45.887: TPLUS: Using server 192.168.32.129
*Mar 1 00:52:45.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: Started 5 sec timeout
R1#end
*Mar 1 00:52:50.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: timed out
*Mar 1 00:52:50.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: timed out, clean up
*Mar 1 00:52:50.891: TPLUS(0000000F)/0/64565BE4: Processing the reply packet
I think my requests are not going to Tacacs server, whereas ping is successful to that server from switch.
What could be the issue ?
10-09-2014 03:50 AM
I got the same problem , any solution ?
Ho to add user to ACS ( internal database ) and to use that user on cisco switch .
KR
VZ
10-09-2014 07:05 AM
Yes i add user to ACS , but it dont work .
Can someone write me what all need to be done on acs 4.2 ?
Here is config on cisco :
aaa new-model
!
aaa authentication login default local-case group tacacs+
aaa authentication enable default enable
aaa authorization exec default local group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
ip tacacs source-interface Vlan20
tacacs-server host 192.168.253.23 key cisco123
tacacs-server directed-request
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input all
line vty 5 15
10-09-2014 07:09 AM
Output i get :
1w5d: AAA/AUTHEN/LOGIN (00000052): Pick method list 'default'
1w5d: AAA/LOCAL/LOGIN(00000052): get user
1w5d: AAA/LOCAL/LOGIN(00000052): user vlada not found
1w5d: AAA/LOCAL/LOGIN(00000052): get password
1w5d: AAA/LOCAL/LOGIN(00000052): failover
Switch#
1w5d: AAA/ACCT/EXEC(00000051): STOP protocol reply FAIL
1w5d: AAA/ACCT(00000051): Accounting method=NOT_SET
1w5d: AAA/ACCT(00000051): Accounting response status = FAILURE
1w5d: AAA/ACCT(00000051): Send STOP accounting notification to EM failed
1w5d: AAA/ACCT/EXEC(00000051): Tried all the methods, osr 0
1w5d: AAA/ACCT(00000051): del node, session 68
1w5d: AAA/ACCT/EXEC(00000051): free_rec, count 0
1w5d: /AAA/ACCTEXEC(00000051) reccnt 0, csr TRUE, osr 0
1w5d: AAA/ACCT/EXEC(00000051): Last rec in db
Switch# , intf not enqueued
Switch#
1w5d: AAA/AUTHEN/LOGIN (00000052): Pick method list 'default'
1w5d: AAA/LOCAL/LOGIN(00000052): get user
Switch#
1w5d: AAA/ACCT/EXEC(00000052): Pick method list 'default'
1w5d: AAA/ACCT/SETMLIST(00000052): Handle 0, mlist 036CC3C4, Name default
1w5d: Getting session id for EXEC(00000052) : db=2BC2098
1w5d: AAA/ACCT/EXEC(00000052): add, count 2
1w5d: AAA/ACCT/EVENT/(00000052): EXEC DOWN
1w5d: AAA/ACCT/EXEC(00000052): Accounting record not sent
1w5d: AAA/ACCT/EXEC(00000052): free_rec, count 1
1w5d: /AAA/ACCTEXEC(00000052) reccnt 1, csr FALSE, osr 0
Switch#
1w5d: unknown AAA/DISC: 9/"NAS Error"
1w5d: unknown AAA/DISC/EXT: 1002/"Unknown"
1w5d: AAA/ACCT/EVENT/(00000052): CALL STOP
1w5d: AAA/ACCT/CALL STOP(00000052): Sending stop requests
1w5d: AAA/ACCT(00000052): Send all stops
1w5d: AAA/ACCT/NET(00000052): STOP
1w5d: AAA/ACCT/NET(00000052): Method list not found
1w5d: AAA/ACCT(00000052): del node, session 69
1w5d: AAA/ACCT/NET(00000052): free_rec, count 0
1w5d: /AAA/ACCTNET(00000052) reccnt 0, csr TRUE, osr 0
1w5d: AAA/ACCT/NET(00000052): Last rec
Switch# in db, intf not enqueued
1w5d: AAA/ACCT/EVENT/(0000004E): OUTB_TELNET_STOP
1w5d: (NOACCTREC, AAA) (0000004E) CONN
10-09-2014 07:54 AM
Can you tell me what error do you on the ACS
Under reports and Monitoring
ALso use the following command:
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
Add the above commands
Also make sure that you have added Switch under Network devices and added the same pre shared key.
Share the error message which you see on the ACS.
Minakshi
10-09-2014 08:05 AM
10/09/2014 07:31:25 Authen failed vlada Default Group 10.104.1.1 (Default) External DB user invalid or bad password .. .. tty1 10.104.1.100 .. .. .. .. .. test123
But how external database user ? when under user options dropbox i selected ACS internal database
KR
10-09-2014 08:07 AM
Is this user member of Default group?? or any other group.
Could you add the screen shot of the user information
Minakshi(Rate the helpful posts)
10-09-2014 08:13 AM
10-10-2014 05:15 AM
i changed device to be cisco 3650 , also i changed network so now ACS and cisco device are in same network 192.168.253.0/24
i get on acs
Date Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device Network Device Group
10/10/2014 05:06:06 Authen failed vlada22 Default Group 172.21.1.6 (Default) Users Access Filtered .. .. tty1 192.168.253.25 No Access Filters Passed. .. .. .. .. test123 ..
10/10/2014 05:06:26 Authen failed vlada22 Default Group 172.21.1.6 (Default) Users Access Filtered .. .. tty1 192.168.253.25 No Access Filters Passed. .. .. .. .. test123 ..
from Cisco ;
*Mar 1 00:23:16.711: AAA/ACCT/EXEC(00000004): Pick method list 'default'
*Mar 1 00:23:16.711: AAA/ACCT/SETMLIST(00000004): Handle 0, mlist 05600CB0, Name default
*Mar 1 00:23:16.711: Getting session id for EXEC(00000004) : db=535F824
*Mar 1 00:23:16.711: AAA/ACCT/EXEC(00000004): add, count 2
*Mar 1 00:23:16.711: AAA/ACCT/EVENT/(00000004): EXEC DOWN
*Mar 1 00:23:16.711: AAA/ACCT/EXEC(00000004): Accounting record not sent
*Mar 1 00:23:16.711: AAA/ACCT/EXEC(00000004): free_rec, count 1
*Mar 1
sw1_EX-3560LabRS-B# 00:23:16.711: AAA/ACCT/EXEC(00000004) reccnt 1, csr FALSE, osr 0
*Mar 1 00:23:18.716: unknown AAA/DISC: 9/"NAS Error"
*Mar 1 00:23:18.716: unknown AAA/DISC/EXT: 1002/"Unknown"
*Mar 1 00:23:18.716: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar 1 00:23:18.716: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar 1 00:23:18.716: AAA/ACCT(00000004): Send all stops
*Mar 1 00:23:18.716: AAA/ACCT/NET(00000004): STOP
*Mar 1 00:23:18.716: AAA/ACCT/NET(00000004): Method list not found
*Mar 1 00:23:1
sw1_EX-3560LabRS-B#8.716: AAA/ACCT(00000004): del node, session 3
*Mar 1 00:23:18.716: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar 1 00:23:18.716: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar 1 00:23:18.716: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
sw1_EX-3560LabRS-B#
*Mar 1 00:23:38.480: AAA/ACCT/EVENT/(00000005): CALL START
*Mar 1 00:23:38.480: Getting session id for NET(00000005) : db=535FF14
*Mar 1 00:23:38.480: AAA/ACCT(00000000): add node, session 4
*Mar 1 00:23:38.480: AAA/ACCT/NET(00000005): add, count 1
*Mar 1 00:23:38.480: Getting session id for NONE(00000005) : db=535FF14
sw1_EX-3560LabRS-B#
10-12-2014 10:55 PM
Looks like there NAF configured on either the group level or user level. Due to which you are unable to login.
Kindlu check the NAF settings on ACS 4.2 on group as well as user level and change it to permit access.
Minakshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide