Problems getting routers to talk to TACACS+ ACS 2.6

phpearce · ‎08-20-2003

Hiya,

I am having problems getting a large amount of our Cisco routers to talk to our two TACACS+ Cisco Secure 2.6 servers, I am pretty sure its not a router configruartion problem as the same configuration works fine on some routers but not others (same router model - although different IOS). Majority of our routers are different models or IOS versions.

The configuration within Cisco Secure is to authenticate against the NT account. User group settings are relativly standard & defines access per NDG.

Has anyone else had similar problems & found a resolution (other than upgrade all the routers IOS!) - was thinking there might be some backward compatible settings on either the router or within Cisco Secure. I have tried changing the timeout / retrys on the router with no effect.

I have pasted in below the config/debug/versions. Router ipsls-r works & alli-r doesn't.

Thanks in advance,

Paul Woolnough

paul.woolnough@isis.suffolkcc.gov.uk

----------------------

Standard Router Config (on all routers)

aaa new-model

aaa authentication login vtyauth group tacacs+ line

aaa authentication login conauth group tacacs+ line

aaa authentication enable default group tacacs+ enable

tacacs-server host 10.191.18.10

tacacs-server host 10.191.18.140

tacacs-server key xxxxxxxx

line con 0

login authentication conauth

line aux 0

login authentication conauth

line vty 0 4

login authentication vtyauth

--------------------------------

ipsls-r Version (This router works)

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(8)T5, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Compiled Fri 21-Jun-02 08:50 by ccai

Image text-base: 0x80008074, data-base: 0x80A2BD40

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

ipsls-r uptime is 10 weeks, 6 days, 19 hours, 12 minutes

System returned to ROM by power-on

System restarted at 11:22:19 UTC Wed Jun 4 2003

System image file is "flash:c2600-i-mz.122-8.T5.bin"

cisco 2621XM (MPC860P) processor (revision 0x100) with 24576K/8192K bytes of mem

ory.

Processor board ID JAD07100M48 (3162406325)

M860 processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

--------------------------------

alli-r Version (This doesn't work)

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)

Compiled Tue 07-Dec-99 02:12 by phanguye

Image text-base: 0x80008088, data-base: 0x807AAF70

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

alli-r uptime is 4 weeks, 6 days, 16 hours, 39 minutes

System returned to ROM by power-on

System restarted at 17:22:32 UTC Wed Jul 16 2003

System image file is "flash:c2600-i-mz.120-7.T"

cisco 2621 (MPC860) processor (revision 0x200) with 26624K/6144K bytes of memory

.

Processor board ID JAD050404F6 (2486362774)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

--------------------------------

Debug from lali-r

AAA authentication

4w6d: AAA: parse name=tty67 idb type=-1 tty=-1

4w6d: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=67 channel=0

4w6d: AAA/MEMORY: create_user (0x80E8C1A4) user='' ruser='' port='tty67' rem_addr='10.191.16.10' authen_type=ASCII service=LOGIN priv=1

4w6d: AAA/AUTHEN/START (92630201): port='tty67' list='vtyauth' action=LOGIN service=LOGIN

4w6d: AAA/AUTHEN/START (92630201): found list vtyauth

4w6d: AAA/AUTHEN/START (92630201): Method=tacacs+ (tacacs+)

4w6d: TAC+: send AUTHEN/START packet ver=192 id=92630201

4w6d: AAA/AUTHEN (92630201): status = ERROR

4w6d: AAA/AUTHEN/START (92630201): Method=LINE

4w6d: AAA/AUTHEN (92630201): status = GETPASS

4w6d: AAA/AUTHEN/CONT (92630201): continue_login (user='(undef)')

4w6d: AAA/AUTHEN (92630201): status = GETPASS

4w6d: AAA/AUTHEN/CONT (92630201): Method=LINE

TACACS+ events & access control

4w6d: TAC+: send AUTHEN/START packet ver=192 id=351811547

4w6d: TAC+: Using default tacacs server-group "tacacs+" list.

4w6d: TAC+: Opening TCP/IP to 10.191.18.10/49 timeout=5

4w6d: TAC+: Opened TCP/IP handle 0x80E8A46C to 10.191.18.10/49

4w6d: TAC+: periodic timer started

4w6d: TAC+: 10.191.18.10 req=80E8C3BC Qd id=351811547 ver=192 handle=0x80E8A46C (ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

4w6d: TAC+: 10.191.18.10 (351811547) AUTHEN/START/LOGIN/ASCII queued

4w6d: TAC+: 10.191.18.10 CLOSEWAIT id=351811547 wrote 37 of 37 bytes

4w6d: TAC+: 10.191.18.10 req=80E8C3BC Qd id=351811547 ver=192 handle=0x80E8A46C (CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

4w6d: TAC+: 10.191.18.10 read END-OF-FILE

4w6d: TAC+: req=80E8C3BC Tx id=351811547 ver=192 handle=0x80E8A46C (CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII processed

4w6d: TAC+: (351811547) AUTHEN/START/LOGIN/ASCII processed

4w6d: TAC+: periodic timer stopped (queue empty)

4w6d: TAC+: received bad AUTHEN packet: type = 0, expected 1

4w6d: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

4w6d: TAC+: Closing TCP/IP 0x80E8A46C connection to 10.191.18.10/49

4w6d: TAC+: Using default tacacs server-group "tacacs+" list.

smahbub · ‎08-28-2003

Well using bug tool kit you can know whether that particular IOS has any compatible issues with cisco secure 2.6 servers. If this is the case then you have no other option then upgrading the IOS.