Re: tacacs+ not working on VRF Interface

eudechime · ‎02-04-2013

C4948-10G switch running IOS 15.0(2)SG

ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization network default group tacacs+ local if-authenticated

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

ip vrf mgmt

rd 100:1

!

interface fa1

ip vrf forwarding mgmt

IP address 192.168.5.1 255.255.255.0

duplex auto

speed auto

!

ip vrf forwarding mgmt

aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)

server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]

tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)

tacacs-server host 192.168.5.76 key secret

!

ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)

ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)

ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)

ip tacacs source-interface fa1

sw2#debug tacacs

SW2#debug aaa authentication

SW2#test aaa group tacacs+ tester passwordtest new-code

Feb 4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

Feb 4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing

Feb 4 11:36:09.808: TPLUS: processing authentication start request id 0

Feb 4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)

Feb 4 11:36:09.808: TPLUS: Using server 192.168.5.75

Feb 4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout

Feb 4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out

Feb 4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76

Feb 4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout

Feb 4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected

SW2#

Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out

Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up

Feb 4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet

SW2#test aaa group tacacs+ tester passwordtest legacy

Attempting authentication test to server-group tacacs+ using tacacs+

Feb 4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1

Feb 4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Feb 4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412

Feb 4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.

Feb 4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5

Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding

Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.

SW2#

Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding

Feb 4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

SW2#ping vrf mgmt 192.168.5.85

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

SW2#sh ip route vrf mgmt

Routing Table: mgmt

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks

S 192.168.5.75/32 [1/0] via 192.168.5.2

S 192.168.5.76/32 [1/0] via 192.168.5.2

S 192.168.5.85/32 [1/0] via 192.168.5.2

C 192.168.5.0/24 is directly connected, FastEthernet1

SW2#sh ip vrf

Name Default RD Interfaces

mgmt 100:1 Fa1

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtml

Andrey.Gulenko · ‎02-05-2013

Hello!

You can try to do so (for example):

...

aaa group server tacacs+ tacs

server 192.168.5.75

server 192.168.5.76

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

...

interface FastEthernet1

vrf forwarding mgmtVrf

ip address xxx.xxx.xxx.xxx

...

ip route vrf mgmtVrf xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 192.168.5.2

...

ip tacacs source-interface FastEthernet1

...

tacacs-server host 192.168.5.75 key 7

tacacs-server host 192.168.5.76 key 7

...

p.s. Replace some of variables needed to...

eudechime · ‎02-05-2013

Hi Andrey,

Thanks for your reply. I thought this is an option to the global command: tacacs-server host x.x.x.x key 7 xxxxx

I just tested the command, so it's not taking it because I'm repeating same "tacacs+" as a group name. In this case, do I have to change the aaa authentication group name?

e.g

aaa authentication login default group tacs local

aaa authentication login no_tacacs local

aaa authentication enable default group tacs enable

aaa authorization exec default group tacs local if-authenticated

aaa authorization network default group tacs local if-authenticated

aaa accounting commands 15 default start-stop group tacs

!

This does not work because I have to define the authentication group tacacs+ or Radius

Andrey.Gulenko · ‎02-05-2013

Yes, it's only the name of group, and it will be used for authentication/authorization/accounting.

Group name must conform to:

...

switch#conf t

switch(config)#aaa group server ?

ldap Ldap server-group definition

radius Radius server-group definition

tacacs+ Tacacs+ server-group definition

switch(config)#aaa group server tacacs+ ?

WORD Server-group name

switch(config)#aaa group server tacacs+ tacs

switch(config-sg-tacacs+)#server 192.168.5.75

switch(config-sg-tacacs+)#server 192.168.5.76

switch(config-sg-tacacs+)#ip vrf forwarding mgmtVrf

...

I want to draw your attention to the fact that the "ip vrf forwarding mgmtVrf" should apply not in the global config (switch (config) #), but in the configuration aaa group server (switch(config-sg-tacacs+)#).

eudechime · ‎02-05-2013

Thanks for pointing my attention to "ip vrf forwaring" under sub-command. entering it actually removes the global commad:

Here is my config and it's still not working. still getting error: User rejected. when I checked the ACS, there is no hit on failed attempt log.

aaa new-model

!

aaa group server tacacs+ vrfgroup

server-private 192.168.5.75 single-connection key secret

server-private 192.168.5.76 single-connection key secret

ip vrf forwarding mgmt

!

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization network default group tacacs+ local if-authenticated

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

ip vrf mgmt

rd 100:1

interface FastEthernet1

ip vrf forwarding mgmt

ip address 192.168.5.1 255.255.255.0

speed auto

duplex auto

ip route vrf mgmt 192.168.5.85 255.255.255.255 192.168.5.2

ip route vrf mgmt 192.168.5.75 255.255.255.255 192.168.5.2

ip route vrf mgmt 192.168.5.76 255.255.255.255 192.168.5.2

eudechime · ‎02-05-2013

Also tried with this config:

aaa group server tacacs+ vrfgroup

server 192.168.5.75

server 192.168.5.76

ip vrf forwarding mgmt

tacacs-server host 192.168.5.75 key 7

tacacs-server host 192.168.5.76 key 7

minkumar · ‎02-05-2013

Hey!!!

Can you try the following command:

feature tacacs+
 tacacs-server host  key 
 tacacs-server key 
 tacacs-server directed-request
 aaa group server tacacs+ ACS
   server 
   use-vrf management 
   source-interface mgmt0

aaa authentication login default group ACS local
 aaa authentication login console group ACS local
 aaa accounting default group ACS
 aaa authentication login error-enable
 aaa authorization commands default local
 aaa authorization config-commands default local

Let me know if it helps:

Regards
Minakshi ( Rate the posts if it helps)

eudechime · ‎02-05-2013

Minakshi,

Thanks...

Among other things, where should I enter this commands?

feature tacacs+
 tacacs-server host  key 
 tacacs-server key 
 tacacs-server directed-request
 aaa group server tacacs+ ACS
   server 
   use-vrf management 
   source-interface mgmt0

feature tacacs+ does not appear to be valid from global.

Please note I am using C4948 IOS 15.0(2)SG and Not Nexus VDC

Also note...the authentication commands are working except through vrf interface

paul.pink · ‎06-11-2013

I just powered up a 4948E myself and shockingly - tacacs is not working via the VRF/FastEthernet1 interface. I have not seen a working solution in this forum. and suprisingly noone from cisco has posted a response. I have tried both solutions. Solution A with the default tacacs

tacacs-server host x.x..x

tacacs-server key blahblahblah

ip tacacs source-interface Fastethernet1

aaa new-model

aaa authentication login default group tacacs+ line

I have also tried with creating ther server group

aaa group server tacacs+ whahwhahah

server-private x.x.x. key blahblahblah

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

!

aaa authentication login whatwhahwhah line

I saw one post that stated the server private only works for Radius. If TACACS does not work via the VRF, maybe the documentation should be updated to state so.

kcnajaf · ‎06-11-2013

Hi Mate,

Do you have any ACL on VTY interface which restirct the access to your device?

Also do you see any logs on ACS?

Regards

Najaf

Please rate when applicable or helpful !!!

paul.pink · ‎06-12-2013

There are no ACLs in place that would block tacacs traffic nor do I see any hits on my ACS server.

kcnajaf · ‎06-12-2013

Hi,

Your debug output shows time out to ACS server as below.

Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding

Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.

Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding

Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.

Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.

Hope that helps

Najaf

Please rate when applicable or helpful !!!

paul.pink · ‎06-12-2013

The solution is in the aaa login statement....

aaa authentication login whahwhahah line <-- incorrect

aaa authentication login default group whahwhahah line <-- correct

eudechime · ‎06-12-2013

If you copy and paste tailor to your specifics such as IP addresses, it should work perfectly.

aaa group server tacacs+ management
server 192.168.5.7
server 192.168.5.7
ip vrf forwarding mgmtVrf
ip tacacs source-interface FastEthernet1

!

aaa authentication login default group management local
aaa authentication login no_tacacs local
aaa authentication enable default group management enable
aaa authorization exec default group management if-authenticated
aaa authorization network default group management local if-authenticated
aaa accounting commands 15 default start-stop group management
tacacs-server host 192.168.5.7
tacacs-server host 192.168.5.7
tacacs-server directed-request
tacacs-server key

Regards