Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5693
Views
0
Helpful
32
Replies

SSH Access to the ACS 5.1

sidcracker
Level 1
Level 1

‎01-31-2011 08:26 PM - edited ‎03-10-2019 05:46 PM

Is there any requirement of installing any certificates on the ACS if authentication is performed from a SSH client.

I am getting the below messages when I access from a SSH client

1. Bind i/f

2. Pick method list default

and then it just fails to authenticate, This works well with telnet.

Thanks

Labels:
0 Helpful
32 Replies 32

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-31-2011 09:02 PM

STRANGE! ACS 5.x doesn't support TELNET.


No you don't need to generate RSA key or need to install any certificate prior to access ACS 5 with SSH client. Its by-default enabled on ACS 5.x


To access the ACS CLI environment, use any SSH client that supports SSH v2.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1114037


Also, ACS access is not configured via AAA login method. You must be accessing some other device in your network. Please verify the ACS ip address.



Regds, Jatin



Do rate helpful posts~

~Jatin
0 Helpful

sidcracker
Level 1
Level 1
In response to Jatin Katyal

‎01-31-2011 10:26 PM

Hi Jatin,

I didn't mean accessing the ACS via ssh, I meant performing authentication from a router via ssh.

Anyhow looks like both telnet and ssh doesn't work. I gave the same commands for the other device (switch) and it authenticated with TACACS. Whereas the router just looks at the default list and stops there, doesn't even look at the TACACS part.

Sending the error message in the next mail

Thanks

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to sidcracker

‎02-01-2011 02:07 AM

Please get the SH RUN from the NAD.

Also, turn on the following debugs,


debug aaa authentication

debug tacacs

term mon


Try to authenticate again from telnet/ssh and paste the debugs o/p here.


Regds, Jatin


Do rate helpful posts~

~Jatin
0 Helpful

sidcracker
Level 1
Level 1
In response to Jatin Katyal

‎02-01-2011 02:19 AM

Hello Jatin,

I have already turned them on and the following are the logs

.Feb 1 06:03:31.297: TAC+: 10.72.27.3 req=61AB3EC Qd id=1018722310 ver=192

handle=0x5FFDCC8 expire=5 AUTHOR/START queued

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 id=1018722310 wrote 99 of 99 bytes

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 req=61AB3EC Qd id=1018722310 ver=192

handle=0x5FFDCC8 expire=4 AUTHOR/START sent

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 read END-OF-FILE

.Feb 1 06:03:31.397: TAC+: req=61AB3EC Tx id=1018722310 ver=192

handle=0x5FFDCC8 expire=4 AUTHOR/START processed

.Feb 1 06:03:31.397: TAC+: periodic timer stopped (queue empty)

.Feb 1 06:03:31.397: TAC+: Closing TCP/IP 0x5FFDCC8 connection to

10.72.27.3/49

.Feb 1 06:03:31.397: AAA/MEMORY: free_user (0x61AB6DC) user='testuser'

ruser='SWITCH01' port='tty2' rem_addr='10.72.10.9' authen_type=ASCII

service=NONE priv=15

.Feb 1 06:03:51.354: AAA/BIND(000001CD): Bind i/f

.Feb 1 06:03:51.354: AAA/AUTHEN/LOGIN (000001CD): Pick method list

'default'

.Feb 1 06:03:51.354: TPLUS: Queuing AAA Authentication request 461 for

processing

.Feb 1 06:03:51.354: TPLUS: processing authentication start request id 461

.Feb 1 06:03:51.354: TPLUS: Authentication start packet created for 461()

.Feb 1 06:03:51.354: TPLUS: Using server 10.72.27.3

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT/61AB6DC: Started 5 sec

timeout

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT: socket event 2

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT: wrote entire 34 bytes

request

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/READ: Would block while reading

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: read 0 bytes

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: errno 254

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/61AB6DC: Processing the reply packet

On Tue, Feb 1, 2011 at 9:07 PM, jkatyal <

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to sidcracker

‎02-01-2011 02:25 AM

Sid,


I think you forgot to attach the SH RUN.


Going through the debugs, I can see that the request is going to tacacs server : TPLUS: Using server 10.72.27.3, however, we're not getting any response fron the server.


There could be few reasons for this, Once you will share a SH RUN, I will able to determine the root cause.


Rgds, Jatin


Do rate helpful posts~

~Jatin
0 Helpful

sidcracker
Level 1
Level 1
In response to Jatin Katyal

‎02-01-2011 02:44 AM

Hello Jatin,

I can give the AAA commands that I have used on the server however I dont

have the sh run config with me as I am at home.

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization config-commands

aaa authorization exec default tacacs+ local

aaa authorization commands 0 default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

tacacs-server host 10.72.27.3 key asdfgg

line vty 0 4

transport input ssh telnet

line vty 5 15

transport input ssh telnet

logging monitor informational

logging host 1.1.1.1 transport udp port 20514

logging origin-id ip

Thanks

epm logging

On Tue, Feb 1, 2011 at 9:25 PM, jkatyal <

0 Helpful

sidcracker
Level 1
Level 1
In response to Jatin Katyal

‎02-01-2011 03:33 AM

Hello Jatin,

If you know any likely reasons for this behaviour please do post the various scenarios so that I can  test in the office tomorrow. I am in urgent need of a solution.

Thanks

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to sidcracker

‎02-01-2011 05:37 AM

My guess at the problem is that the address used in ACS for the client does not match the source address used by the device when it sends the authentication request. If that is the case then you can use the command ip tacacs source-interface

to specify the address on the device that matches the configuration of ACS. This command is required in layer 3 devices.

The second suspect is tacacs timeout. Please increase the tacacs timeout to 7 seconds.

Regds,  Jatin

Do rate helpful posts~

~Jatin
0 Helpful

sidcracker
Level 1
Level 1
In response to Jatin Katyal

‎01-31-2011 10:35 PM

.Feb 1 06:03:31.297: TAC+: 10.72.27.3 req=61AB3EC Qd id=1018722310 ver=192 handle=0x5FFDCC8 expire=5 AUTHOR/START queued

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 id=1018722310 wrote 99 of 99 bytes

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 req=61AB3EC Qd id=1018722310 ver=192 handle=0x5FFDCC8 expire=4 AUTHOR/START sent

.Feb 1 06:03:31.397: TAC+: 10.72.27.3 read END-OF-FILE

.Feb 1 06:03:31.397: TAC+: req=61AB3EC Tx id=1018722310 ver=192 handle=0x5FFDCC8 expire=4 AUTHOR/START processed

.Feb 1 06:03:31.397: TAC+: periodic timer stopped (queue empty)

.Feb 1 06:03:31.397: TAC+: Closing TCP/IP 0x5FFDCC8 connection to 10.72.27.3/49

.Feb 1 06:03:51.354: AAA/BIND(000001CD): Bind i/f

.Feb 1 06:03:51.354: AAA/AUTHEN/LOGIN (000001CD): Pick method list 'default'

.Feb 1 06:03:51.354: TPLUS: Queuing AAA Authentication request 461 for processing

.Feb 1 06:03:51.354: TPLUS: processing authentication start request id 461

.Feb 1 06:03:51.354: TPLUS: Authentication start packet created for 461()

.Feb 1 06:03:51.354: TPLUS: Using server 10.72.27.3

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT/61AB6DC: Started 5 sec timeout

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT: socket event 2

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/NB_WAIT: wrote entire 34 bytes request

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.354: TPLUS(000001CD)/0/READ: Would block while reading

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: read 0 bytes

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: socket event 1

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/READ: errno 254

.Feb 1 06:03:51.363: TPLUS(000001CD)/0/61AB6DC: Processing the reply packet

Sent from my iPhone

0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to sidcracker

‎01-31-2011 11:15 PM

Hi sid,

what is syntax and commands you are using for the authenication for router/switch ssh?

If you are using default method it will take preference over named- method list. Just give the AAA commands you are using for authenication.

Nitesh

CCIE Security

0 Helpful

sidcracker
Level 1
Level 1
In response to saxenanitesh8522

‎01-31-2011 11:54 PM

Aaa new-model

aaa authentication login default group TACACS+ local

aaa authorization config-commands

aaa authorization exec default group TACACS+ local

aaa authorization commands 0 default group TACACS+ none

aaa authorization commands 1 default group TACACS+ none

aaa authorization commands 15 default group TACACS+ none

TACACS-server host 1.1.1.1 key asdfgh

FOR ACS

0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to sidcracker

‎02-01-2011 12:01 AM

Hi sid,

you didnt put the commands which you might have applied on the line interface of vty & console.

please can you put that command.

Nitesh Saxena

CCIE Security

0 Helpful

sidcracker
Level 1
Level 1
In response to saxenanitesh8522

‎02-01-2011 12:10 AM

There is no custom authentication method. Isn't the default method supposed to apply to all vty lines. As you said I tried applying it earlier thus afternoon but the list didn't apply on the line probably since it's by default

I did the same for the switch without applying any vty auto method and it works fine

Sent from my iPhone

0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to sidcracker

‎02-01-2011 12:22 AM

it might be possible the router didnt accept it.

if you can try putting it manually

line vty 0 4

     login authenication default

     authorization exec default

     authorization command PRIV_LVL default

0 Helpful
Customers Also Viewed These Support Documents