Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
0
Helpful
3
Replies

TACACS not working properly - defaults to local login

navic
Level 4
Level 4

‎01-03-2005 06:56 PM - edited ‎03-10-2019 01:57 PM

Here's the config:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

tacacs-server host 162.x.x.x

tacacs-server directed-request

tacacs-server key 7 xxxxxx

Here's the debug when it doesn't work

2w4d: TAC+: Opening TCP/IP to 162.x.x.x/49 timeout=5

2w4d: TAC+: Opened TCP/IP handle 0x4418CD50 to 162.x.x.x/49

2w4d: TAC+: periodic timer started

2w4d: TAC+: 162.x.x.x req=50F62E70 Qd id=310495683 ver=192 handle=0x4418CD50

expire=5 AUTHEN/START/LOGIN/ASCII queued

2w4d: TAC+: 162.x.x.x id=310495683 wrote 37 of 37 bytes

2w4d: TAC+: 162.x.x.x req=50F62E70 Qd id=310495683 ver=192 handle=0x4418CD50

expire=4 AUTHEN/START/LOGIN/ASCII sent

2w4d: TAC+: 162.x.x.x read END-OF-FILE

2w4d: TAC+: req=50F62E70 Tx id=310495683 ver=192 handle=0x4418CD50 expire=4 AUTH

EN/START/LOGIN/ASCII processed

2w4d: TAC+: periodic timer stopped (queue empty)

2w4d: TAC+: Closing TCP/IP 0x4418CD50 connection to 162.x.x.x/49

Thanks

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎01-03-2005 09:15 PM

Can you send the "debug aaa authen" output as well as the TACACS debug, this will give us a better indication of what's failing. The TACACS debug just shows the NAS opening and then closing the TCP connection, which shows that connectivity seems to be OK.

0 Helpful

navic
Level 4
Level 4
In response to gfullage

‎01-05-2005 06:22 PM

.Jan 5 19:20:06.085: AAA: parse name=tty2 idb type=-1 tty=-1

.Jan 5 19:20:06.085: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0

port=2 channel=0

.Jan 5 19:20:06.085: AAA/MEMORY: create_user (0x1FF2C68) user='NULL' ruser='NUL

L' ds0=0 port='tty2' rem_addr='172.x.x.x' authen_type=ASCII service=LOGIN pr

iv=1 initial_task_id='0'

.Jan 5 19:20:06.085: AAA/AUTHEN/START (1319584342): port='tty2' list='' action=

LOGIN service=LOGIN

.Jan 5 19:20:06.085: AAA/AUTHEN/START (1319584342): using "default" list

.Jan 5 19:20:06.085: AAA/AUTHEN/START (1319584342): Method=tacacs+ (tacacs+)

.Jan 5 19:20:06.085: TAC+: send AUTHEN/START packet ver=192 id=1319584342

.Jan 5 19:20:06.085: TAC+: Using default tacacs server-group "tacacs+" list.

.Jan 5 19:20:06.085: TAC+: Opening TCP/IP to 162.x.x.x/49 timeout=5

.Jan 5 19:20:06.085: TACACS: Cannot set property of connection

.Jan 5 19:20:06.089: TAC+: Opened TCP/IP handle 0x71C3840 to 162.x.x.x/49

.Jan 5 19:20:06.089: TAC+: periodic timer started

.Jan 5 19:20:06.089: TAC+: 162.x.x.x req=71B92E0 Qd id=1319584342 ver=192 h

andle=0x71C3840 expire=5 AUTHEN/START/LOGIN/ASCII queued

.Jan 5 19:20:06.089: TAC+: 162.x.x.x (1319584342) AUTHEN/START/LOGIN/ASCII

queued

.Jan 5 19:20:06.189: TAC+: 162.x.x.x id=1319584342 wrote 45 of 45 bytes

.Jan 5 19:20:06.189: TAC+: 162.x.x.x req=71B92E0 Qd id=1319584342 ver=192 h

andle=0x71C3840 expire=4 AUTHEN/START/LOGIN/ASCII sent

.Jan 5 19:20:06.289: TAC+: 162.x.x.x read=12 wanted=12 alloc=12 got=12

.Jan 5 19:20:06.289: TAC+: 162.x.x.x read=28 wanted=28 alloc=28 got=16

.Jan 5 19:20:06.289: TAC+: 162.x.x.x received 28 byte reply for 71B92E0

.Jan 5 19:20:06.289: TAC+: req=71B92E0 Tx id=1319584342 ver=192 handle=0x71C384

0 expire=4 AUTHEN/START/LOGIN/ASCII processed

.Jan 5 19:20:06.289: TAC+: (1319584342) AUTHEN/START/LOGIN/ASCII processed

.Jan 5 19:20:06.289: TAC+: periodic timer stopped (queue empty)

.Jan 5 19:20:06.289: TAC+: ver=192 id=1319584342 received AUTHEN status = GETPA

SS

.Jan 5 19:20:06.289: AAA/AUTHEN (1319584342): status = GETPASS

.Jan 5 19:20:06.289: AAA/AUTHEN/CONT (1319584342): continue_login (user='chhabr

an')

.Jan 5 19:20:06.289: AAA/AUTHEN (1319584342): status = GETPASS

.Jan 5 19:20:06.289: AAA/AUTHEN (1319584342): Method=tacacs+ (tacacs+)

.Jan 5 19:20:06.289: TAC+: send AUTHEN/CONT packet id=1319584342

.Jan 5 19:20:06.289: TAC+: periodic timer started

.Jan 5 19:20:06.289: TAC+: 162.x.x.x req=71B92E0 Qd id=1319584342 ver=192 h

andle=0x71C3840 expire=5 AUTHEN/CONT queued

.Jan 5 19:20:06.289: TAC+: 162.x.x.x (1319584342) AUTHEN/CONT queued

.Jan 5 19:20:06.389: TAC+: 162.x.x.x id=1319584342 wrote 25 of 25 bytes

.Jan 5 19:20:06.389: TAC+: 162.x.x.x req=71B92E0 Qd id=1319584342 ver=192 h

andle=0x71C3840 expire=4 AUTHEN/CONT sent

.Jan 5 19:20:06.489: TAC+: 162.x.x.x read=12 wanted=12 alloc=12 got=12

.Jan 5 19:20:06.489: TAC+: 162.x.x.x read=18 wanted=18 alloc=18 got=6

.Jan 5 19:20:06.489: TAC+: 162.x.x.x received 18 byte reply for 71B92E0

.Jan 5 19:20:06.489: TAC+: req=71B92E0 Tx id=1319584342 ver=192 handle=0x71C384

0 expire=4 AUTHEN/CONT processed

.Jan 5 19:20:06.489: TAC+: (1319584342) AUTHEN/CONT processed

.Jan 5 19:20:06.489: TAC+: periodic timer stopped (queue empty)

.Jan 5 19:20:06.489: TAC+: ver=192 id=1319584342 received AUTHEN status = PASS

.Jan 5 19:20:06.489: AAA/AUTHEN (1319584342): status = PASS

.Jan 5 19:20:06.489: TAC+: Closing TCP/IP 0x71C3840 connection to 162.x.x.x

/49

.Jan 5 19:20:06.565: TAC+: using previously set server 162.x.x.x from group

tacacs+

.Jan 5 19:20:06.565: TAC+: Opening TCP/IP to 162.x.x.x/49 timeout=5

.Jan 5 19:20:06.565: TACACS: Cannot set property of connection

.Jan 5 19:20:06.577: TAC+: Opened TCP/IP handle 0x71C0FC0 to 162.x.x.x/49

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to navic

‎01-06-2005 08:31 AM

Perhaps we need a better understanding of what the problem is and what is not working. From the debug that you posted it looks to me like tacacs authentication is working. in particular I am looking at these entries from the debug:

Jan 5 19:20:06.085: TAC+: send AUTHEN/START packet ver=192 id=1319584342 (which indicates that it is initiating a request to tacacs.)

Jan 5 19:20:06.289: TAC+: ver=192 id=1319584342 received AUTHEN status = GETPASS (and this entry says that tacacs has received the request and is asking the router to prompt for the password.)

Jan 5 19:20:06.289: TAC+: send AUTHEN/CONT packet id=1319584342 (and the router sent another packet which contains the entered password.)

Jan 5 19:20:06.489: TAC+: ver=192 id=1319584342 received AUTHEN status = PASS (and tacacs sent back a response which was positive - it authenticated.)

There is an entry in the debug which does indicate that something is not correct:

Jan 5 19:20:06.565: TACACS: Cannot set property of connection

So I would like a better understanding of what is working and what is not working.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents