TACACS+ and RSA/ACE

Danilo Dy · ‎03-20-2005

We configure agent host in RSA/ACE Server. We are having problem authenticating thru enable password.

Router Config:

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

!

tacacs-server host 10.10.10.10

tacacs-server timeout 20

tacacs_server key secret

Authentication process:

Telnet 10.10.10.1 << Router

User: user << RSA/ACE server account

Passcode: passcode << RSA/ACE token passcode

Successful!

Router> enable

Passcode: passcode << RSA/ACE token passcode

Fail!

What causes the enable passcode to fail? We don't see any logs in RSA/ACE server.

Please help. Thanks in advanced.

steve.busby · ‎03-21-2005

By default you can only use each token once. After you authenticate with the userid/token combo, wait for the next token to generate, then try entering enable mode.

HTH

Steve

Danilo Dy · ‎03-21-2005

We already did that

steve.busby · ‎03-22-2005

Hi Danilo,

Was hoping it was an easy fix. Anyway, are you by chance using CSACS for your TACACS+ or are you using the built in TACACS+ server in RSA/ACE?

If you're using CSACS, here's a link that will help:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a45.html#wp304865

In RSA/ACE you should be able to go to Reports>Incident (and/or Exception) and see if the request is being denied.

The last thing to try would be consoling into the device and turning on AAA authentication debugging to see what's happening onthe device.

Steve

Danilo Dy · ‎03-23-2005

Thanks for your help.

I'm able to make a workaround that makes my customer agree, by creating a group with level 15 priv and assign the user to that group. So it will not need enable password. As for user group with lower priv level, I use the local enable secret (not thru RSA/ACE)

I think the enable password to RSA/ACE will not work, because I am thinking to which user will the passcode associate when entering enable mode?