06-11-2013 05:44 PM - last edited on 03-25-2019 05:30 PM by ciscomoderator
We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
Configuring AAA Services on
Cisco ASR 9000 Series Routers
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are:
The config of tacacs:
tacacs source-interface Loopback10 vrf OAM
tacacs-server host 150.119.1.110 port 49
key 7 0505110E317F0E
the config of AAA:
aaa authorization commands console none
aaa authentication login console local
aaa authentication login default group tacacs+ local line
Communication up between the tacacs+ and the ASR:
ASR TO TACACS+
RP/0/RSP0/CPU0:ED_MEX_1#ping vrf OAM 150.119.1.110
Tue Jun 11 13:33:27.477 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.119.1.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RP/0/RSP0/CPU0:ED_MEX_1#
TACACS+ TO ASR:
tacacs@tacti:~$ ping 172.16.162.1
PING 172.16.162.1 (172.16.162.1) 56(84) bytes of data.
64 bytes from 172.16.162.1: icmp_req=1 ttl=252 time=1.35 ms
64 bytes from 172.16.162.1: icmp_req=2 ttl=252 time=0.605 ms
64 bytes from 172.16.162.1: icmp_req=3 ttl=252 time=0.587 ms
64 bytes from 172.16.162.1: icmp_req=4 ttl=252 time=0.787 ms
64 bytes from 172.16.162.1: icmp_req=5 ttl=252 time=0.649 ms
:
RP/0/RSP0/CPU0:ED_MEX_1(config)#do sh tacac
Tue Jun 11 19:41:23.918 UTC
Server: 150.119.1.110/49 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0
status=up single-connect=false
RP/0/RSP0/CPU0:ED_MEX_1(config)#
RP/0/RSP0/CPU0:ED_MEX_1#sh ver
Tue Jun 11 13:37:26.105 UTC
Cisco IOS XR Software, Version 4.2.3[Default]
Copyright (c) 2012 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 0.62(c) 1994-2012 by Cisco Systems, Inc.
ED_MEX_1 uptime is 3 days, 23 hours, 42 minutes
System image file is "disk0:asr9k-os-mbi-4.2.3.CSCuc79084-1.0.0/0x100305/mbiasr9k-rsp3.vm "
cisco ASR9K Series (Intel 686 F6M14S4) processor with 6291456K bytes of memory.
Intel 686 F6M14S4 processor at 2128MHz, Revision 2.174
ASR 9010 AC Chassis with PEM Version 2
4 Management Ethernet
20 DWDM controller(s)
20 TenGigE
20 WANPHY controller(s)
40 GigabitEthernet
503k bytes of non-volatile configuration memory.
6271M bytes of hard disk.
11817968k bytes of disk0: (Sector size 512 bytes).
11817968k bytes of disk1: (Sector size 512 bytes).
we need a little help please.
Thanks
Maru
06-11-2013 06:46 PM
Hi Maru,
Do you see any logs on the TACACS+ server? Which version of AAA server are you using?Also do you have any ACL which is set on VTY?
Regards
Najaf
Please rate when applicable or helpful !!!
06-11-2013 07:16 PM
hi Najaf, thanks for reply
The version is:
tacacs@tacti:/etc/tacacs+/bin$
tac_plus -v
tac_plus version F4.0.4.19
ACLS
FIONBIO
LIBWRAP
LINUX
LITTLE_ENDIAN
LOG_DAEMON
MAXSESS
MAXSESS_FINGER
PAM
NO_PWAGE
REAPCHILD
RETSIGTYPE RETSIGTYPE
SHADOW_PASSWORDS
SIGTSTP
SIGTTIN
SIGTTOU
SO_REUSEADDR
STRERROR
TAC_PLUS_PORT
UENABLE
__STDC__
tacacs@tacti:/etc/tacacs+/bin$
the tacacs+ server does not known about the asr trying to connect, the tacacs+ server doen not reflects any message in its debug.
There is not any access list over the line vty.
Maru.
06-11-2013 09:00 PM
Hi Maru,
Personally i have not worked on UNIX based tacacs:-(. Still it would worth checking below points.
> Your sourcing the tacacs traffic from loopback 10. So have you checked pinging the tacacs server with source as loopback10
> I assume you already added loopback 10 ip address as a aaa client on your tacacs box.
> sh tacacs output shows there is no packets send or received. Have you checked with "debug aaa authetication" and see if there is any usual infromation which you are able to get.
Regards
Najaf
Please rate when applicable or helpful !!!
06-12-2013 01:44 AM
If you're not seeing any message or logs on tacacs server then it's highly possible that your tacacs is unreachable via Loopback10 or the TCP port 49 is blocked somewhere in between. What all devices we have in the route? Is there any firewall? Was this working before?
Please turn on the following debugs:
debug tacacs
debug aaa authen
Run the command from ASR CLI (if available)
test aaa group tacacs+ username password leg
Paste the output here.
Jatin Katyal
*Do rate helpful posts*
06-12-2013 07:52 AM
Hi Jatin Katyal,
between both of them, tacacs+ and ASR communication exists, i´ve put the pings up in the previous answers.
There is not any firewall, this was not working before, is a new implementation of integration of ASR 9010.
when we put the config of aaa authentication login default group tacacs+ we receibe this message, in wich does not appear the need of ingress the username and password:
GW_MEX_2#telnet 172.16.14.6
Trying 172.16.14.6 ... Open
% Authentication failed
[Connection to 172.16.14.6 closed by foreign host]
the config of aaa that we have at this moment is:
tacacs source-interface Loopback10 vrf OAM
tacacs-server host 150.119.1.110 port 49
key 7 11070E0407214B
timeout 30
single-connection
aaa group server tacacs+ maru
server 150.119.1.110
aaa authentication login default group tacacs+
aaa authentication login default group root-system
aaa authentication login default local
aaa authentication login default line
RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 21:55:19.294 : exec[65847]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Reply buffer length: 504 - 24 = 480 bytes
RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Authenticating user: ASRadmin
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Authentication status: PASS
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Read task map size: 72 ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Read user group string, length: 12
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'ASRadmin' from '172.16.14.5' on 'vty1'
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 11 21:55:19.301 : exec[65847]: Reading SysDB path 'authorization/exec/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.304 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 21:55:19.307 : exec[65847]: Reading SysDB path 'accounting/exec/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.310 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 21:55:19.324 : exec[65847]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 11 21:55:19.327 : exec[65847]: Username: ASRadmin, len 9
RP/0/RSP0/CPU0:Jun 11 21:55:24.542 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:24.546 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:24.622 : nvgen[65850]: Getting details on ttyname '/dev/vty0'
RP/0/RSP0/CPU0:Jun 11 21:55:24.625 : nvgen[65850]: Username: ASRadmin, len 9
RP/0/RSP0/CPU0:Jun 11 21:55:41.447 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:41.451 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:47.399 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:47.403 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:54.120 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:54.124 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:56:09.636 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:56:09.640 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:57:12.724 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:57:12.728 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
tacacs source-interface Loopback10 vrf OAM
tacacs-server host 150.119.1.110 port 49
key 7 11070E0407214B
timeout 30
single-connection
aaa group server tacacs+ maru
server 150.119.1.110
and we put and erase this lines of aaa:
aaa authentication login default group tacacs+
aaa authentication login default group root-system
aaa authentication login default local
aaa authentication login default line
the debug of authentication is:
RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 11 21:55:19.293 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 21:55:19.294 : exec[65847]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Reply buffer length: 504 - 24 = 480 bytes
RP/0/RSP0/CPU0:Jun 11 21:55:19.297 : exec[65847]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Authenticating user: ASRadmin
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Authentication status: PASS
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Read task map size: 72 ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Read user group string, length: 12
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'ASRadmin' from '172.16.14.5' on 'vty1'
RP/0/RSP0/CPU0:Jun 11 21:55:19.298 : exec[65847]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 11 21:55:19.301 : exec[65847]: Reading SysDB path 'authorization/exec/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.304 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 21:55:19.307 : exec[65847]: Reading SysDB path 'accounting/exec/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:19.310 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 21:55:19.324 : exec[65847]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 11 21:55:19.327 : exec[65847]: Username: ASRadmin, len 9
RP/0/RSP0/CPU0:Jun 11 21:55:24.542 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:24.546 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:24.622 : nvgen[65850]: Getting details on ttyname '/dev/vty0'
RP/0/RSP0/CPU0:Jun 11 21:55:24.625 : nvgen[65850]: Username: ASRadmin, len 9
RP/0/RSP0/CPU0:Jun 11 21:55:41.447 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:41.451 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:47.399 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:47.403 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:54.120 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:55:54.124 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:56:09.636 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:56:09.640 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:57:12.724 : config[65844]: Reading SysDB path 'authorization/commands/default' ...
RP/0/RSP0/CPU0:Jun 11 21:57:12.728 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:ED_MEX_1#sh tacacs
Wed Jun 12 09:43:22.557 UTC
Server: 150.119.1.110/49 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0
status=up single-connect=false
RP/0/RSP0/CPU0:ED_MEX_1#
putting the lines:
RP/0/RSP0/CPU0:ED_MEX_1(config)#RP/0/RSP0/CPU0:Jun 12 09:45:51.674 : exec[65848]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 12 09:45:51.678 : exec[65848]: Failed to read vty1/username from SysDB
RP/0/RSP0/CPU0:Jun 12 09:45:51.749 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:45:51.754 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:45:51.754 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:45:51.755 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:45:51.755 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 09:45:51.759 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 09:45:51.762 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:51.762 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:51.762 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:45:51.765 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:45:51.765 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 09:45:51.765 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Malloc prompt length=10
RP/0/RSP0/CPU0:Jun 12 09:45:59.055 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:45:59.058 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:45:59.058 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:45:59.061 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:45:59.061 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:59.061 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Reply buffer length: 424 - 24 = 400 bytes
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Authentication status: FAIL
RP/0/RSP0/CPU0:Jun 12 09:45:59.609 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:45:59.612 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:45:59.612 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:45:59.612 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:45:59.613 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 09:45:59.616 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 09:45:59.619 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:59.619 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:59.619 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Malloc prompt length=10
RP/0/RSP0/CPU0:Jun 12 09:46:03.667 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:46:03.671 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Reply buffer length: 420 - 24 = 396 bytes
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Authentication status: FAIL
RP/0/RSP0/CPU0:Jun 12 09:46:04.218 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:46:04.221 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:46:04.221 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:46:04.221 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:46:04.222 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 09:46:04.222 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 09:46:04.225 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:46:04.225 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:46:04.225 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Malloc prompt length=10
aaa authentication login default group tacacs+
aaa authentication login default group maru
aaa authentication login default local
aaa authentication login default line
in fact i also create a taskgrou and usergroup called maru that have permissions of many things.
taskgroup maru
task read bgp
task write bgp
task execute aaa
description taca
!
usergroup maru
taskgroup maru
description taca
the last, was following the guide mentiones initially.
we have this result:
GW_MEX_2#telnet 172.16.14.6
Trying 172.16.14.6 ... Open
Password:
Password:
and the debug in the ASR aplying debug tacacs and debug aaa authen is:
RP/0/RSP0/CPU0:ED_MEX_1(config)#RP/0/RSP0/CPU0:Jun 12 09:45:51.674 : exec[65848]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 12 09:45:51.678 : exec[65848]: Failed to read vty1/username from SysDB
RP/0/RSP0/CPU0:Jun 12 09:45:51.749 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:45:51.754 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:45:51.754 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:45:51.755 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:45:51.755 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 09:45:51.759 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 09:45:51.762 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:51.762 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:51.762 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:45:51.765 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:45:51.765 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 09:45:51.765 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 09:45:51.768 : exec[65848]: Malloc prompt length=10
RP/0/RSP0/CPU0:Jun 12 09:45:59.055 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:45:59.058 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:45:59.058 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:45:59.061 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:45:59.061 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:59.061 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Reply buffer length: 424 - 24 = 400 bytes
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:45:59.062 : exec[65848]: Authentication status: FAIL
RP/0/RSP0/CPU0:Jun 12 09:45:59.609 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:45:59.612 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:45:59.612 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:45:59.612 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:45:59.613 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 09:45:59.616 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 09:45:59.619 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:59.619 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:45:59.619 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 09:45:59.622 : exec[65848]: Malloc prompt length=10
RP/0/RSP0/CPU0:Jun 12 09:46:03.667 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:46:03.670 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:46:03.671 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Reply buffer length: 420 - 24 = 396 bytes
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:46:03.674 : exec[65848]: Authentication status: FAIL
RP/0/RSP0/CPU0:Jun 12 09:46:04.218 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 09:46:04.221 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 09:46:04.221 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 09:46:04.221 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 09:46:04.222 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 09:46:04.222 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 09:46:04.225 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:46:04.225 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 09:46:04.225 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 09:46:04.228 : exec[65848]: Malloc prompt length=10
maybe i need to change the lines? are correct my aaa sentences?
Maru
06-12-2013 07:56 AM
try this:
telnet 172.16.14.6 49
also remove single-connection from the config for now.
Jatin Katyal
- Do rate helpful posts -
06-12-2013 08:37 AM
Hi Jatin,
ok I erase the single-connection and is like this:
RP/0/RSP0/CPU0:ED_MEX_1#sh tacacs
Wed Jun 12 10:31:18.634 UTC
Server: 150.119.1.110/49 opens=0 closes=0 aborts=0 errors=0
packets in=0 packets out=0
status=up single-connect=false
RP/0/RSP0/CPU0:ED_MEX_1
and what happens was next:
GW_MEX_2#telnet 172.16.14.6
Trying 172.16.14.6 ... Open
Password:
Password:
needs a password that is not the vty password defined :-(
the debug of tacas and aaa is this:
RP/0/RSP0/CPU0:Jun 12 10:34:57.025 : config[65844]: Reading SysDB path 'accounting/commands/default' ...
RP/0/RSP0/CPU0:ED_MEX_1(config)#RP/0/RSP0/CPU0:Jun 12 10:34:59.653 : exec[65848]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 12 10:34:59.657 : exec[65848]: Failed to read vty1/username from SysDB
RP/0/RSP0/CPU0:Jun 12 10:34:59.726 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 10:34:59.734 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 10:34:59.734 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 10:34:59.734 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 10:34:59.735 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 10:34:59.735 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 10:34:59.736 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 10:34:59.736 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 10:34:59.736 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 10:34:59.740 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 10:34:59.740 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 10:34:59.740 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 10:34:59.742 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 10:34:59.742 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 10:34:59.742 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 10:34:59.742 : exec[65848]: Malloc prompt length=10
RP/0/RSP0/CPU0:Jun 12 10:35:01.717 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 10:35:01.720 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 10:35:01.720 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 10:35:01.720 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 10:35:01.720 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 10:35:01.721 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 10:35:01.724 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 10:35:01.724 : exec[65848]: Reply buffer length: 424 - 24 = 400 bytes
RP/0/RSP0/CPU0:Jun 12 10:35:01.724 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 10:35:01.724 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 10:35:01.724 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 10:35:01.724 : exec[65848]: Authentication status: FAIL
RP/0/RSP0/CPU0:Jun 12 10:35:02.269 : exec[65848]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 12 10:35:02.272 : exec[65848]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 12 10:35:02.272 : exec[65848]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 12 10:35:02.272 : exec[65848]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 12 10:35:02.273 : exec[65848]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 12 10:35:02.276 : exec[65848]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 12 10:35:02.279 : exec[65848]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 10:35:02.279 : exec[65848]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 12 10:35:02.279 : exec[65848]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Authenticating user: dev-vty1
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 12 10:35:02.283 : exec[65848]: Malloc prompt length=10
normally which sentenses of aaa do you put??
Maru
06-12-2013 07:21 AM
Hi Najaf,
sure we tryed the ping since the loop10, and it works:!
RP/0/RSP0/CPU0:ED_MEX_1#sh run int loop 10
Wed Jun 12 09:11:57.314 UTC
interface Loopback10
vrf OAM
ipv4 address 172.16.162.1 255.255.255.255
!
RP/0/RSP0/CPU0:ED_MEX_1#ping vrf OAM
Wed Jun 12 09:12:03.304 UTC
Protocol [ipv4]:
Target IP address: 150.119.1.110
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands? [no]: y
Source address or interface: 172.16.162.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes? [no]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.119.1.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RP/0/RSP0/CPU0:ED_MEX_1#
in the case of the tacacs box, there is communication between them so we don´t have to do anything else, only if the tacacs box doesnot see the ASR we insert te net to the box.
the tacacs+ server doesnot reflect any debug, but the asr send all this message:
RP/0/RSP0/CPU0:Jun 11 23:12:12.284 : exec[65847]: Getting details on ttyname '/dev/vty1'
RP/0/RSP0/CPU0:Jun 11 23:12:12.286 : exec[65847]: Failed to read vty1/username from SysDB
RP/0/RSP0/CPU0:Jun 11 23:12:12.361 : exec[65847]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 11 23:12:12.366 : exec[65847]: Looking host address in ________/________/vty/1/state/connection/host
RP/0/RSP0/CPU0:Jun 11 23:12:12.367 : exec[65847]: Looking host family in ________/________/vty/1/state/connection/family
RP/0/RSP0/CPU0:Jun 11 23:12:12.368 : exec[65847]: Got remote address 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 23:12:12.368 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 23:12:12.368 : exec[65847]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 11 23:12:12.369 : exec[65847]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 11 23:12:12.369 : exec[65847]: Reply buffer length: 348 - 24 = 324 bytes
RP/0/RSP0/CPU0:Jun 11 23:12:12.369 : exec[65847]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Authenticating user:
RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Authentication status: GETUSER
RP/0/RSP0/CPU0:Jun 11 23:12:12.372 : exec[65847]: Malloc prompt length=37
RP/0/RSP0/CPU0:Jun 11 23:12:21.722 : exec[65847]: Composing an authentication message
RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Authentication not configured, for this line, using 'default' methodlist
RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Reading SysDB path 'authentication/login/default' ...
RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Using authentication methodlist 'default'
RP/0/RSP0/CPU0:Jun 11 23:12:21.725 : exec[65847]: Add remote addr attribute - 172.16.14.5 (length 11)
RP/0/RSP0/CPU0:Jun 11 23:12:21.726 : exec[65847]: Sending the authentication request message to server
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Interpreting the authentication reply from the server
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Reply buffer length: 388 - 24 = 364 bytes
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Unpacking the AV list from the reply data
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Extracting results from the server's reply
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Authenticating user: ASRadmin
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Authentication status: GETPASS
RP/0/RSP0/CPU0:Jun 11 23:12:21.729 : exec[65847]: Malloc prompt length=10
we tryed adding more sentenses of aaa but it does not work yet.
Maru
10-21-2013 10:03 PM
I am not sure your problem got resolved. But looks like the server is not in the same VRF.
Please mention the server group also in the same VRF. you will see packet traverse happily.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide