06-10-2008 11:09 PM - edited 03-10-2019 03:54 PM
Hi,
I have fresh installed ACS 4.1 and having trouble integrating with the following for authentication.
<1> Cisco 4500 Router
<2> Cisco AiroNet-Access-Point
All admin for Router 4500 should be authenticatd via ACS Server and incase ACS Server is down then they should be authenticated via local DATABASE...
All passed or failed attempt should be logged on ACS ; all changes done on the devices ( change config / reboot ) should be logged on ACS as well.....
Can I get a link where it shows the config part on router and on ACS.....
Solved! Go to Solution.
06-12-2008 09:57 AM
Amin
Does it matter to you which interface is used for TACACS? If so then configure that interface as the source.
When you configured the ACS server you told it to expect packets to be from the address in VLAN 1. If you do not want to change the ACS configuration then configure VLAN 1 as the source address for TACACS.
HTH
Rick
06-11-2008 04:52 AM
Here are some useful links,
Command authorization on acs
On router use these commands,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
Use authorization commmands only if you set up command authorization.
Http authentication on AP
http://cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml
Eap authentication with radius,
Regards,
~JG
Do rate helpful posts
06-11-2008 06:04 AM
Thanks for your input.
What command is required on TTY and console.
wht config is required on ACS to log the change activity done on routers ???
before command authorization I would like to check/test only authentication on Routers using ACS...so should I use the following or additional commands are required.....
aaa new-model
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
username ABC priv 15 password 0000
tacacs-server host 192.168.1.100
tacacs-server directed-request
tacacs-server key password
!
line con 0
exec-timeout 0 0
password 7 0316425
line vty 0 4
exec-timeout 0 0
password 7 0707305
06-11-2008 06:19 AM
If you want to record changes made by user, you need to set up command accounting. Nothing is required on acs
aaa accounting command 1 default group tacacs
aaa accounting command 15 default group tacacs
You will find command accounting logs in tacacs administration logs in reports and activity.
Regards,
~JG
Do rate helpful posts
06-11-2008 08:32 AM
I hve done the following ; but i dont get authenticated via ACS on Catalyst 4500...
I checked the logs for failed attempts but no entries there... I am able to ping the switch from ACS and vice-versa...
=============
aaa new-model
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
username ABC priv 15 password 0000
tacacs-server host 192.168.1.100
tacacs-server directed-request
tacacs-server key password
!
line con 0
exec-timeout 0 0
password xxx
line vty 0 4
exec-timeout 0 0
password xxx
=============================
Any clue???
06-11-2008 01:39 PM
Amin
My first guess would be that the source address used by the 4500 does not match the address configured in ACS for that device. In that case I would expect to find in the failed attempts some records indicating unknown NAS.
My second guess would be an issue with configuring the shared key between ACS and the 4500.
Probably the most effective way to find this problem would be to run some debugs on the 4500. Would you post the output from debug aaa authentication and from debug tacacs authentication.
HTH
Rick
06-12-2008 02:47 AM
thanks
the key is correct
The debug output TACS is :-
======
3w1d: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 172.20.58.5(3457) -> 0.0.0.0(2
3), 1 packet
3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5
3w1d: TAC+: Opened TCP/IP handle 0x42E08FCC to 192.168.2.55/49
3w1d: TAC+: periodic timer started
3w1d: TAC+: 192.168.2.55 req=42E07F24 Qd id=2386328461 ver=192 handle=0x42E08FCC
(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued
3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=2386328461 wrote 35 of 35 bytes
3w1d: TAC+: 192.168.2.55 req=42E07F24 Qd id=2386328461 ver=192 handle=0x42E08FCC
(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent
3w1d: TAC+: 192.168.2.55 read END-OF-FILE
3w1d: TAC+: req=42E07F24 Tx id=2386328461 ver=192 handle=0x42E08FCC (CLOSEWAIT)
expire=4 AUTHEN/START/LOGIN/ASCII processed
3w1d: TAC+: periodic timer stopped (queue empty)
3w1d: TAC+: Closing TCP/IP 0x42E08FCC connection to 192.168.2.55/49
3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5
3w1d: TAC+: Opened TCP/IP handle 0x42E0916C to 192.168.2.55/49
3w1d: TAC+: periodic timer started
3w1d: TAC+: 192.168.2.55 req=42E073E4 Qd id=4289040243 ver=192 handle=0x42E0916C
(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued
3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=4289040243 wrote 35 of 35 bytes
3w1d: TAC+: 192.168.2.55 req=42E073E4 Qd id=4289040243 ver=192 handle=0x42E0916C
(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent
3w1d: TAC+: 192.168.2.55 read END-OF-FILE
3w1d: TAC+: req=42E073E4 Tx id=4289040243 ver=192 handle=0x42E0916C (CLOSEWAIT)
expire=4 AUTHEN/START/LOGIN/ASCII processed
3w1d: TAC+: periodic timer stopped (queue empty)
3w1d: TAC+: Closing TCP/IP 0x42E0916C connection to 192.168.2.55/49
3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5
3w1d: TAC+: Opened TCP/IP handle 0x42E0916C to 192.168.2.55/49
3w1d: TAC+: periodic timer started
3w1d: TAC+: 192.168.2.55 req=42E0749C Qd id=3454695364 ver=192 handle=0x42E0916C
(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued
3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=3454695364 wrote 35 of 35 bytes
3w1d: TAC+: 192.168.2.55 req=42E0749C Qd id=3454695364 ver=192 handle=0x42E0916C
(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent
3w1d: TAC+: 192.168.2.55 read END-OF-FILE
3w1d: TAC+: req=42E0749C Tx id=3454695364 ver=192 handle=0x42E0916C (CLOSEWAIT)
expire=4 AUTHEN/START/LOGIN/ASCII processed
3w1d: TAC+: periodic timer stopped (queue empty)
3w1d: TAC+: Closing TCP/IP 0x42E0916C connection to 192.168.2.55/49
=========
06-12-2008 03:04 AM
<
3w1d: AAA/AUTHEN/CONT (2136902324): continue_login (user='neo')
3w1d: AAA/AUTHEN (2136902324): status = GETPASS
3w1d: AAA/AUTHEN/CONT (2136902324): Method=LOCAL
3w1d: AAA/AUTHEN (2136902324): User not found
3w1d: AAA/AUTHEN (2136902324): status = FAIL
3w1d: AAA/AUTHEN/ABORT: (2136902324) because Unknown.
3w1d: AAA/MEMORY: free_user_quiet (0x42E06218) user='neo' ruser='NULL' port='tt
y2' rem_addr='172.20.58.5' authen_type=1 service=1 priv=1
3w1d: AAA: parse name=tty2 idb type=-1 tty=-1
3w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
3w1d: AAA/MEMORY: create_user (0x42E04C24) user='NULL' ruser='NULL' ds0=0 port='
tty2' rem_addr='172.20.58.5' authen_type=ASCII service=LOGIN priv=1 initial_task
_id='0'
3w1d: AAA/AUTHEN/START (1863895592): port='tty2' list='' action=LOGIN service=LO
GIN
3w1d: AAA/AUTHEN/START (1863895592): using "default" list
3w1d: AAA/AUTHEN/START (1863895592): Method=tacacs+ (tacacs+)
3w1d: TAC+: send AUTHEN/START packet ver=192 id=1863895592
3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5
3w1d: TAC+: Opened TCP/IP handle 0x42E06414 to 192.168.2.55/49
3w1d: TAC+: periodic timer started
3w1d: TAC+: 192.168.2.55 req=42E03D7C Qd id=1863895592 ver=192 handle=0x42E06414
(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued
3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=1863895592 wrote 35 of 35 bytes
3w1d: TAC+: 192.168.2.55 req=42E03D7C Qd id=1863895592 ver=192 handle=0x42E06414
(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent
3w1d: TAC+: 192.168.2.55 read END-OF-FILE
3w1d: TAC+: req=42E03D7C Tx id=1863895592 ver=192 handle=0x42E06414 (CLOSEWAIT)
expire=4 AUTHEN/START/LOGIN/ASCII processed
3w1d: TAC+: periodic timer stopped (queue empty)
3w1d: TAC+: Closing TCP/IP 0x42E06414 connection to 192.168.2.55/49
3w1d: AAA/AUTHEN (1863895592): status = ERROR
3w1d: AAA/AUTHEN/START (1863895592): Method=LOCAL
3w1d: AAA/AUTHEN (1863895592): status = GETUSER
06-12-2008 03:51 AM
Amin
Thank you for the debug output. It does clearly show that your 4500 is sending the TACACS request and is not receiving any response from the ACS server. It would seem logical that either something is preventing the TACACS request from getting to the server or that something in the request is causing the server to reject it.
Is it possible that there is somewhere along the data path from the 4500 to the server some device (perhaps a router with a filter or a firewall) which is denying the packet with the TACACS request from being forwarded to the server?
Perhaps it would be helpful if you would post the output of a traceroute from the 4500 to the ACS server.
When you attempt to authenticate on the 4500 are you getting any entries in the failed attempts on the ACS server at all?
HTH
Rick
06-12-2008 07:40 AM
Hello,
The output of traceroute
HQ#traceroute 192.168.2.55
Type escape sequence to abort.
Tracing the route to acs.hq.du.lan (192.168.2.55)
1 acs.hq.du.lan (192.168.2.55) 0 msec 0 msec 0 msec
I am able to ping both from ACS to Core and viceversa.
There is no firewall between them or any other security device.
On ACS Server I dont see any failed or even pass attempts...
06-12-2008 07:48 AM
Amin
The traceroute shows that they are directly connected which certainly reduces the possibility that some other device is getting in the way.
Could you post the output of show ip interface brief. And can you give us the address that is configured in ACS for this device?
HTH
Rick
06-12-2008 08:06 AM
the IP address of core is 172.20.68.1
The IP defined on ACS is 172.20.68.1 as well.
AAA Client IP address : 172.20.68.1
Shared Secret Key : Cisco
Authenticate using : TACACS+ (Cisco IOS)
06-12-2008 08:27 AM
Amin
I was re-reading this thread and found something that I do not understand. In several posts you show this for the TACACS server:
tacacs-server host 192.168.1.100
but the debugs and the traceroute are using 192.168.2.55 as the server address. Did you change the config?
HTH
Rick
06-12-2008 08:35 AM
Amin
Your response with the addressing is helpful. Thank you for posting this:
AAA Client IP address : 172.20.68.1
Shared Secret Key : Cisco
Authenticate using : TACACS+ (Cisco IOS)
But the traceroute seems to show that the 4500 is directly connected to the server on subnet 192.168.2.0. And so that would be the source address that the 4500 would use in its TACACS request. And the server would reject it because it is expecting 172.20.68.1 and is getting 192.168.2.x
There are at least 2 ways to fix this. You could add a command to the config of the 4500 and specify the source address to use:
ip tacacs source-interface
or you could change the config of the server so that it uses the 192.168.2 address of the 4500.
HTH
Rick
06-12-2008 09:39 AM
Thanks for your reply.
on the Core I have Two VLANs
VLAN 1 = 172.20.68.0/24 ( user-vlan ) with VLAN ID as 172.20.68.1
VLAN 2 = 192.168.2.0/24 (server-vlan )
with Vlan ID as 192.168.2.1
on core(4500) what should I configure the source-interface....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide