cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3805
Views
15
Helpful
8
Replies

Problems using TACACS+ and windows password for switch login

Adam Watts
Level 1
Level 1

Hi,

I am trying to set up a switch to talk to our windows ACS 4.2 server and to enable the network team to login to the switch to carry out managment.

The ACS has been in deployment as a radius server for a while, it's running out DOT1X authentication for our wireless network and that is working fine.

I have got the network team to map to its own ACS group and i have setup the required TACACS+ settings for the group, but every time i try and login to the switch using my windows credentials it complains that the password is bad. Yet if i login to a wireless client using the same details it's fine. I have looked at the windows event logs and it is showing event ID 529, Unknown user or password. I have setup a local account on the ACS to rule out ACS issues and that account works fine, just windows accounts.

I'm guessing that somewhere along the line the password is being manipulated by the TACACS+ setup, does anyone have any ideas where to look, and how i can get this working.

Setup is

SERVER SIDE:

Windows 2003 R2 server running Cisco ACS 4.2

Windows 2008 Active Directory Domain

CLIENT SIDE

Catalyst 3560E Running IOS Version 12.2(55)SE3

any help would be much apreciated, if there is anymore information needed please let me know.

Thanks,


Adam

8 Replies 8

ghuey
Level 1
Level 1

I may be missing something in your post, but you have setup and verified your connection to your Active Directory in the ACS server?  Then have you setup TACACS to authenticate using AD store?

I am running the newer 5.3 so some of these settings may not be one for one.

It is, the radius for the wireless dot1x connects to it.

Sent from Cisco Technical Support iPad App

Adam,

A great way to troubleshoot this is to take a packet capture from the windows box and set a filter for tcp port 49.

You can then decrypt the request after entering the shared secret under View > Preferences > Protocols > Tacacs.

What for the packets to decrypt and in the password response transaction your password will be decrypted in the tacacs payload. Check that and see if the password is correct.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks for the reply,

I've not tested that and i'll have a try,

But i'm not sure that is the problem as if i create an ACS account in the same group as my windows users, the account works fine.

This would lead me to think it's the interaction between the ACS and the Active directory services in some way.

      

But i will go do a packet capture and have a look, and report back.

Adam,

You can also tackle this from the ACS side, as well. You can set the service control to full (in order to enable debugs, and this will restart the acs servers...looking at 30 to 45 seconds total). After that you can go to the logs file or do a search for the TCS.log file and the Auth.log files and that should get you a better error than what is being logged in the failed attempts.

thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Well, after a lot of going through the logs i found in the AUTH Log lots of these errors

AUTH 11/09/2012 07:14:35 E 2100 2616 0x58913 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L)

AUTH 11/09/2012 07:27:29 E 2100 2612 0x58a0e External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)

to me looks like there is a communication issue between the ACS and AD. I did a quick Google on the error codes and found this support forum discussion which looks like it's nearly identical to mine.

https://supportforums.cisco.com/thread/2154075

i have spoken to the server team and it appears that we have recently upgraded to windows 2008 R2 AD

Will have to look at doing another method of authentication as LDAP is mentioned in the reply, failing that it looks like an upgrade to ACS5...

Many thanks for you help. Much appreciated.

Adam

LDAP should do the trick, good luck and I am glad you found it,

Sent from Cisco Technical Support iPad App

Adam,

Just for your reference ACS 5 will be a mandatory upgrade since the 4.x line is not going to have any modifications to support Windows 2008R2.

Keep in mind that if you are using PEAP-mschapv2 for your radius users for dot1x you can not use ldap since the protocol doesnt support the mschapv2 authenticaiton protocol. Please feel free to ask any question on how to perform the migration and I will be more than happy to help.

Thanks,

Tarik Admani
*Please rate helpful posts*