Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
1
Replies

Issue with tacacs plus

etucker
Level 1
Level 1

‎03-06-2005 03:26 PM - edited ‎03-10-2019 02:02 PM

I hava a tacacs server running on redhat. When I try to telnet to my router I get a bunch of garbage on the screen. Sometimes I get an authorization failed. Any ideas what I might have wrong?

Current configuration : 1063 bytes

!

version 12.2

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Home

!

logging rate-limit console 10 except errors

aaa new-model

!

!

aaa authentication login tac group tacacs+ enable

aaa authentication enable default group tacacs+ enable

enable secret removed

enable password removed

!

username cisco password removed

ip subnet-zero

!

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

lcp max-session-starts 0

!

!

!

!

interface Ethernet0

ip address 192.168.1.105 255.255.255.0

no cdp enable

!

interface Ethernet1

no ip address

ip access-group 101 in

ip nat outside

shutdown

no cdp enable

!

ip classless

ip http server

!

no cdp run

tacacs-server host 192.168.1.102

tacacs-server timeout 15

tacacs-server key cisco

!

line con 0

exec-timeout 120 0

transport input none

stopbits 1

line vty 0 4

exec-timeout 0 0

login authentication tac

!

scheduler max-task-time 5000

end

03:10:38: TPLUS: Queuing AAA Authentication request 25 for processing

03:10:38: TPLUS: processing authentication start request id 25

03:10:38: TPLUS: Authentication start packet created for 25()

03:10:38: TPLUS: Using server 192.168.1.102

03:10:38: TPLUS(00000019): connected to server 192.168.1.102

03:10:38: TPLUS: response received for AAA request 25

03:10:38: TPLUS: Received authentication response with status FAIL

03:10:40: TPLUS: Queuing AAA Authentication request 25 for processing

03:10:40: TPLUS: processing authentication start request id 25

03:10:40: TPLUS: Authentication start packet created for 25()

03:10:40: TPLUS: Using server 192.168.1.102

03:10:40: TPLUS(00000019): connected to server 192.168.1.102

03:10:40: TPLUS: response received for AAA request 25

03:10:40: TPLUS: Received authentication response with status FAIL

03:10:42: TPLUS: Queuing AAA Authentication request 25 for processing

03:10:42: TPLUS: processing authentication start request id 25

03:10:42: TPLUS: Authentication start packet created for 25()

03:10:42: TPLUS: Using server 192.168.1.102

03:10:42: TPLUS(00000019): connected to server 192.168.1.102

03:10:42: TPLUS: response received for AAA request 25

03:10:42: TPLUS: Received authentication response with status FAIL

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎03-06-2005 07:29 PM

I have looked at the config that you posted and do not see any serious issues, though there are a couple of things that may be worth a comment. You have configured an authentication method for the vty ports so telnet access will use tacacs. But you have not configured an authentication method for the console and you have not configured (or at least not included in the posted config) any default authentication method for login.

Also the tac authentication method used by the vty ports specifes that the tacacs server is the preferred method of authentication but if the server is not available the user can login in by specifying the enable password. I wonder if that is really what you intend. A more common configuration would be:

aaa authentication login tac group tacacs+ line

this would prefer tacacs and as a backup would use the configured line password.

Or you could configure:

aaa authentication login tac group tacacs+ local

if you have user names and passwords configured on the router.

The debug messages that you include are interesting and may give a clue to the problem. They do demonstrate that you are communicating with the tacacs server (it shows that you are sending messages and getting responses). This tells us that there is not a problem with the configuration of the server address or password. I think it also tells us that this router has been configured on the tacacs server.

I think that it is interesting that you are building a start packet and sending it to the tacacs server. And that you immediately get a response from the server of FAIL. There was no prompt for username or password which would be normal. This makes me wonder if there is some issue in the way that this router has been configured on the tacacs server. Is this router in a group by itself? and if so are there users who have access rights in this group?

If you have other routers that do work with tacacs, I would suggest that you compare the tacacs server configuration of this router to the configuration of some other router that works and see if you can identify a difference.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents