05-15-2012 04:15 PM - edited 03-10-2019 07:05 PM
Hy,
I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
I have an ACS v.4.x to use as a Tacacs server.
In all the equipments I have aaa authentication with tacacs and vlans.
To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
With this scenario the tacacs authentication works.
If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
I do not understand why!!?
I have another problem, this time with the firewall.
I configured the tacacs and the aaa in the firewall, as advised by Cisco.
But it seems that it doesn’t work!
In this two cases only the local authentication works.
Can you help me, please?
Thanks in advance,
Rui Oliveira
05-15-2012 09:07 PM
What can you see in the failed attempts when are you trying to login to the swtich?
Also what can you see in the failed attempts when you are not able to logint to the FW?
05-18-2012 09:12 AM
Hy,
I am doing tests in a Lab.
So, the addresses presented here are not Internet routable.
I´m doing the tests with a switch that has the IP address 10.183.0.60.
My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
I send the logging file that I take from my firewall.
Thanks,
Rui
05-18-2012 03:47 PM
Hy,
I am doing tests in a Lab.
So, the addresses presented here are not Internet routable.
The configuration for the tacacs at the ASA is:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
key mykey
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command LOCAL
aaa accounting enable console TACACS
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa local authentication attempts max-fail 5
aaa authorization exec LOCAL
I´m doing the tests with an ASA with a the IP address 10.183.0.61.
And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
I have another interface that a called GESTAO, with IP address 10.183.0.61.
This interface GESTAO is connected to a management vlan.
My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
I send the logging file that I take from my firewall.
Thanks,
Rui
05-20-2012 02:48 AM
Can you please capture sniffer trace while the issue is happenning on the ACS side.
Also provide the tacacs+ key to decrypt the tacaacs+ payload.
05-21-2012 03:05 AM
Hy,
I cannot do that, because de ACS is in a network that I do not control.
So, it will be very, very, difficult to sniff the traffic for that network, particularly to and from the ACS.
But, I think this problem in not in the ACS. Because if I put all the switch doing authentication without crossing over the firewall (using the bypass) I will have no problem in authenticating with the tacacs server.
In the other end, if I use the firewall to cross over to the tacacs server, I will not succeed in authenticating with that server.
With these observations, I take that I could have some kind of problem in the ASA that do not let me to authenticate properly with the tacacs server.
If I am doing something wrong, what is it? It´s configuration? It´s network design?
Can someone help me with this?
Thanks in advance,
Rui
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide