WS-6509 refusing SSH connections via TACACS+ 5.5

Eric R. Jones · ‎03-04-2015

Hello everyone, we have our Core 6509's using AAA with TACACS+ version 5.5 appliance.

We have 4 appliances 2 each in 2 locations.

We have an issue where 6509's refuse to authorize/authenticate valid users for ssh connections.

When you ssh to the device you can enter your password but ssh tectia just closes or you see the login banner and "Authorization denied" and ssh closes.

The switches have there tacacs-server settings pointing to all four TACACS+ devices.

Occasionally one or both will attempt to use one of the 2 non local TACACS+ servers to authenticate/athorize connections.

You can login from the console if you interrupt it's connection to TACACS by disconnecting the fiber connections momentarily.

Has anyone seen something like this before?

This happens once or twice a year.

ej

johnd2310 · ‎03-04-2015

Hi ,

What error messages do you get in the Tacacs server logs? The logs should tell you why authentication is failing?

Thanks

John

**Please rate posts you find helpful**

Eric R. Jones · ‎03-05-2015

That's the funny part, TACACS shows green stating that I'm passing all the checks.

When I select the magnifying glass I see "passed" in green at the top.

when I check "Evaluating Identity Policy" it says.

Matched Default Rule

Selected Identity Store - Internal Users

Authenticating user against Active Directory

Could not establish connection with ACS Active Directory agent

Looking up User in Internal Users IDStore - "My username"

Found User in Internal Users IDStore

Wrong password or invalid shared secret

The advanced option that is configured for a failed authentication request is used.

The 'Continue' advanced option is configured in case of a failed authentication request.

But I'm able to access all other switches so my AD username/password are correct.

At first I was unable to access it's pair. After we did a hard reset on one of the ACS's that was resolved.

But I still can't get into the other pair.

ej

johnd2310 · ‎03-08-2015

Hi,

It seems your tacacs is not authenticating anything.

the tacacs server is failing to contact Active directory and is failing over to the Internal Store
tacacs gets an error trying to authenticate via the internal store
tacacs is configured to continue in the event of failure

Can you please check if you have configure you tacacs correctly.

The 6509 switches probably have a different aaa configuration to the other switches.

Thanks

John

**Please rate posts you find helpful**

Eric R. Jones · ‎03-09-2015

I have 135 devices that work find with the current TACACS+ configuration. Eight of these devices are 6509's. This particular device will not allow me access via any of the local username/password combinations on the local device unless I connect via the console. Other people are able to connect via SSH and the console. When I view the TACACS+ logs for the time frame associated with my login attempts I see nothing. That, to me, means exactly what you said that the TACACS+ configuration for this device is incorrect; however, the fact that other people can login to this device via SSH changes that. The fact that this device has the exact same AAA authorization and authentication configuration as the other 6509's which I can access makes this even stranger. I was thinking my SSH Tectia is broke but it works for everything else. If I go to another system the same thing happens so the problem being my local desktop is no longer viable.

Most strange and frustrating.

ej

Eric R. Jones · ‎03-10-2015

I created 3 local accounts on the 6500 and 2 have specified priv level 15 and the other wasn't specified specifically. I got control of the server no problem from the console. I checked the ACS and it shows green across the board for each username but the log says it fails with the password. The accounts are setup to AD to Local and the identify is set to "continue" "continue" "reject". When using SSH tectia or Attachmate the login fails. When I use putty I gain access with no problem and can work in the server. The tectia popup tells me "Failed: Connection destination: username@IP. Disconnect reason code: Disconnected by application (local disconnect) Disconnect description: Error processing packet. Server authentication: publickey User authentications completed:none Failed user authentications: password, Server version: SSH-2.0-Cisco-1.25, server hostkey algorithm:ssh-rsa, server identity: 1024 bit rsa key then the SHA-1 information and finally "Disconencted by application (local): Error processing packet. This is the same SSH tool I use for the other switches and UNIX servers so I'm not sure what the incompatibility could be.

ej