cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1640
Views
0
Helpful
9
Replies

ssh after ACS server "locked up" and had to be reconfigured no longer works.

Steve Coady
Level 1
Level 1

Hello

 

I have a VPN tunnel between an ASA5520 and a Cisco 891.

I had the 891 configured with the following:

aaa group server tacacs+ VTY
 ip tacacs source-interface Loopback0
!
aaa group server tacacs+ TACACS-ACS
 server 10.8.x.x
 server 10.16.y.x
!
aaa authentication login CONSOLE none
aaa authentication login VTY group tacacs+ local
aaa authorization exec VTY group tacacs+ local
aaa authorization commands 0 VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+

!

ip tacacs source-interface Loopback0

!

tacacs-server host 10.8.x.x key 7 yadayadayadayada
tacacs-server host 10.16.y.x key 7 yadayadayadayada
tacacs-server directed-request

!

line vty 0 4
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh
line vty 5 15
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh

 

I no longer can access device remotely. I am sure it has to do with the ACS server, but not sure where to look.

Any help would be  greatly appreciated.

 

 

 

 

sMc
1 Accepted Solution

Accepted Solutions

kcnajaf
Level 7
Level 7

Hi,

When you say u can not access device remotely are you not able to ssh to device or there is no rechablity itself?

Is ssh is the problem then do you get a login prompt? Any error message? Also have you checked ACS failed logs for any messages?

Regards

Najaf

View solution in original post

9 Replies 9

kcnajaf
Level 7
Level 7

Hi,

When you say u can not access device remotely are you not able to ssh to device or there is no rechablity itself?

Is ssh is the problem then do you get a login prompt? Any error message? Also have you checked ACS failed logs for any messages?

Regards

Najaf

Najaf

 

Thank you for the response.

I mean I have no remote management access. Traffic is passing

This is a new site

I get login prompt

My Active director credentials and my local username/pass do not work.

Both worked prior to the ACS problems with bad sectors on HD. The ACS was reconfigured.

This appears to be the only site that is having trouble.

 

 

sMc

Hi,

Do you see any failed authentication logs on ACS?

Where did you manage to get the aaa configuration? Are you using this as a standard template?

Could you try modifying the configuration as below?

 

config terminal

no aaa group server tacacs+ TACACS-ACS

aaa group server tacacs+ VTY

 server 10.8.x.x
 server 10.16.y.x

!

After this verify if tacacs authentication is working fine with below command (hope this command work on your device)

test aaa group tacacs VTY <username> <password> lega

Regards

Najaf

I get the following  message

 

Attempting authentication test to server-group tacacs+ using tacacs+

*Jun 12 18:19:15.245: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type *invalid_group_handle*No authoritative response from any server.

sMc

Hi,

This is configuration issue.

Have you added the loop back interface ip of router on to AAA server as a AAA client?

Are the shared key same on both router and aaa?

If both the above are fine the remove the entire aaa configuration and apply them frsh as below.

no aaa new mode

enable password ***********
username admin privilege 15 password *********
aaa new-model 
aaa group server tacacs+ VTY
 server 10.8.x.x
 server 10.16.y.x
aaa authentication login VTY group tacacs+ local
aaa authentication enable VTY group Tacacs+ enable

tacacs-server host 10.8.x.x key 7 xxxxx (xxxxx should be the same key used in ACS)
tacacs-server host 10.16.y.x key 7 xxxxx (xxxxx should be the same key used in ACS)
line vty 0 4
login authentication VTY

Hope that helps

Regards

Najaf

Najaf

 

What about these other commands on the line?

 

line vty 0 4
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh
line vty 5 15
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh

sMc

Hi,

I wanted you to try minimum configurations first. Even with out other configuration things should work..

Have you checked at AAA server end to confirm your router IP address is added there and shared key are matching?

Regards

Najaf

I wiped it out and reconfigured as you requested. Still no access.

sMc

I get the following messages when I config line vty 0 4

Cisco891(config-line)# authorization commands 15 VTY
AAA: Warning authorization list "VTY" is not defined for CMD priv

Cisco891(config-line)# authorization exec VTY
AAA: Warning authorization list "VTY" is not defined for EXEC

Cisco891(config-line)# accounting commands 15 VTY
AAA: Warning accounting list "VTY" is not defined for CMD priv 15

Cisco891(config-line)# login authentication VTY
AAA: Warning authentication list "VTY" is not defined for LOGIN.

Cisco891(config-line)#^Z
Cisco 891#
*Jun 12 20:46:00.793: %SYS-5-CONFIG_I: Configured from console by console

 

 

What am I doing wrong?!?!?!?!?

sMc
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: