cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

220
Views
0
Helpful
1
Replies
Highlighted
Beginner

ISR4431 | not able to be added to TACACS

Hi

I am unable to add ISR to our tacacs server. Same config works for other devices.

Never troubleshooted tacacs before .. any help with understanding the debugs and config would be great. Thank you

Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
CCCCCC AUTHENTICATION FAILED : ATTEMPT LOGGED
Access denied
Using keyboard-interactive authentication.
Password:
!

May 12 17:32:49.552: %AAAA-4-NOSERVER: Warning: Server 192.168.100.100 is not defined.
*May 12 17:34:59.691: %AAAA-4-SERVUNDEF: The server-group "LDN_GROUP" is not defined. Please define it.
*May 12 17:35:18.164: %TAC+: no address for get_server
*May 12 17:35:18.164: %TAC+: no address for get_server
*May 12 17:35:20.806: %TAC+: no address for get_server
*May 12 17:35:20.806: %TAC+: no address for get_server
*May 12 17:35:23.797: %TAC+: no address for get_server
*May 12 17:35:23.797: %TAC+: no address for get_server
*May 12 17:35:26.048: %TAC+: no address for get_server
*May 12 17:35:26.048: %TAC+: no address for get_server
*May 12 17:35:26.929: %TAC+: no address for get_server
*May 12 17:35:26.929: %TAC+: no address for get_server

Debug authentication

*May 13 10:02:04.043: %TAC+: no address for get_server
*May 13 10:02:04.043: %TAC+: no address for get_server
*May 13 10:04:48.862: AAA/BIND(0000005A): Bind i/f
*May 13 10:04:48.862: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default'
*May 13 10:04:59.854: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default'
*May 13 10:05:14.136: AAA: parse name=tty866 idb type=-1 tty=-1
*May 13 10:05:14.136: AAA: name=tty866 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=866 channel=0
*May 13 10:05:14.136: AAA/MEMORY: create_user (0x7F431AA29C68) user='test-user' ruser='ISR4431' ds0=0 port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*May 13 10:05:15.579: TAC+: (-88903173): received author response status = FAIL
*May 13 10:05:15.579: AAA/MEMORY: free_user (0x7F431AA29C68) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0)
*May 13 10:05:38.649: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default'
*May 13 10:06:30.019: AAA: parse name=tty866 idb type=-1 tty=-1
*May 13 10:06:30.019: AAA: name=tty866 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=866 channel=0
*May 13 10:06:30.019: AAA/MEMORY: create_user (0x7F430CEE0620) user='test-user' ruser='ISR4431' ds0=0 port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
ISR4431#


debug authorization

*May 13 10:21:38.253: AAA/AUTHOR (4089241502): Post authorization status = ERROR
*May 13 10:21:38.253: tty866 AAA/AUTHOR/CMD (4089241502): Method=IF_AUTHEN
*May 13 10:21:38.253: AAA/AUTHOR (4089241502): Post authorization status = PASS_ADD
*May 13 10:21:38.253: AAA/MEMORY: free_user (0x7F430CEDE318) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0)
ISR4431#


debug Tacacs 

ISR4431#debug tacacs

*May 13 10:22:58.338: AAA/AUTHOR: auth_need : user= 'test-user' ruser= 'ISR4431'rem_addr= '192.168.200.100' priv= 15 list= '' AUTHOR-TYPE= 'commands'
*May 13 10:22:58.338: AAA: parse name=tty866 idb type=-1 tty=-1
*May 13 10:22:58.338: AAA: name=tty866 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=866 channel=0
*May 13 10:22:58.338: AAA/MEMORY: create_user (0x7F430CEE0620) user='test-user' ruser='ISR4431' ds0=0 port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*May 13 10:22:58.338: tty866 AAA/AUTHOR/CMD (2119122419): Port='tty866' list='' service=CMD
*May 13 10:22:58.338: AAA/AUTHOR/CMD: tty866 (2119122419) user='test-user'
*May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV service=shell
*May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV cmd=debug
*May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV cmd-arg=tacacs
*May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV cmd-arg=<cr>
*May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD(2119122419): found list "default"
*May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): Method=LDN_TACACS (tacacs+)
*May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): user=test-user
TACACS access control debugging is on
ISR4431#
*May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV service=shell
*May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV cmd=debug
*May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV cmd-arg=tacacs
*May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV cmd-arg=<cr>
*May 13 10:22:59.683: AAA/AUTHOR (2119122419): Post authorization status = ERROR
*May 13 10:22:59.683: tty866 AAA/AUTHOR/CMD (2119122419): Method=IF_AUTHEN
*May 13 10:22:59.683: AAA/AUTHOR (2119122419): Post authorization status = PASS_ADD
*May 13 10:22:59.683: AAA/MEMORY: free_user (0x7F430CEE0620) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0)
*May 13 10:22:59.683: TPLUS: Queuing AAA Accounting request 91 for processing
*May 13 10:22:59.683: TPLUS: processing accounting request id 91
*May 13 10:22:59.684: TPLUS: Sending AV task_id=692
*May 13 10:22:59.684: TPLUS: Sending AV timezone=UTC
ISR4431#
*May 13 10:22:59.684: TPLUS: Sending AV service=shell
*May 13 10:22:59.684: TPLUS: Sending AV priv-lvl=15
*May 13 10:22:59.684: TPLUS: Sending AV cmd=debug tacacs <cr>
*May 13 10:22:59.684: TPLUS: Accounting request created for 91(test-user)
*May 13 10:22:59.684: TPLUS: using previously set server 192.168.100.100 from group tacacs+
*May 13 10:22:59.684: TPLUS(0000005B)/0/NB_WAIT/7F431AAC1E20: Started 5 sec timeout
*May 13 10:23:00.331: TPLUS(0000005B)/0/NB_WAIT: socket event 2
*May 13 10:23:00.331: TPLUS(0000005B)/0/NB_WAIT: wrote entire 120 bytes request
*May 13 10:23:00.331: TPLUS(0000005B)/0/READ: socket event 1
ISR4431#
*May 13 10:23:00.331: TPLUS(0000005B)/0/READ: Would block while reading
*May 13 10:23:00.974: TPLUS(0000005B)/0/READ: socket event 1
*May 13 10:23:00.974: TPLUS(0000005B)/0/READ: errno 254
*May 13 10:23:00.974: TPLUS(0000005B)/0/7F431AAC1E20: Processing the reply packet
ISR4431#
*May 13 10:24:20.787: TAC+: 192.168.100.100 (18446744073285523215) AUTHOR/START queued
*May 13 10:24:21.587: TAC+: (18446744073285523215) AUTHOR/START processed
*May 13 10:24:21.587: TAC+: (-424028401): received author response status = FAIL
*May 13 10:24:21.587: TAC+: Closing TCP/IP 0x7F431AA4A0F8 connection to 192.168.100.100/49
*May 13 10:24:21.587: AAA/AUTHOR (3870938895): Post authorization status = FAIL
*May 13 10:24:21.587: AAA/MEMORY: free_user (0x7F430D8166E0) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0)
ISR4431#

Config

aaa new-model
!
!
aaa group server tacacs+ LDN_TACACS
 server name LDN
 server 192.168.100.100
 ip tacacs source-interface GigabitEthernet0/0/1
!
aaa authentication fail-message ^CCCCCCC AUTHENTICATION FAILED : ATTEMPT LOGGED                                                                                         ^C
aaa authentication login default group LDN_TACACS local
aaa authentication login LDN_GROUP group LDN_TACACS local
aaa authentication login LDN_TACACS group tacacs+ local
aaa authentication login console group LDN_GROUP local
aaa authentication enable default group LDN_TACACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec LDN_GROUP local
aaa authorization commands 1 default group LDN_TACACS if-authenticated
aaa authorization commands 15 default group LDN_TACACS if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 192.168.100.100 key 7 <key>
1 REPLY 1
Highlighted
Beginner

Re: ISR4431 | not able to be added to TACACS

Hi Dan,

 

Your configuration needs some changes.

Please use the following template and adjust to your environment

 

*Credits for the template goes to Brad Johnson

 

! Define the TACACS+ servers

tacacs server [ISE PSN 1 Name]

    address ipv4 [ISE PSN 1 IP]

    key [TACACS Secret]

 

tacacs server [ISE PSN 2 Name]

    address ipv4 [ISE PSN 2 IP]

    key [TACACS Secret]

 

! Define the TACACS+ server groups

aaa group server tacacs+ ISE_TACACS

    server name [ISE PSN 1 Name]

    server name [ISE PSN 2 Name]

 

! Configure AAA for TACACS+ authentication with local fallback

aaa authentication login default group ISE_TACACS local

aaa authentication enable default group ISE_TACACS enable

aaa authorization exec default group ISE_TACACS local

aaa authorization commands 0 default group ISE_TACACS local

aaa authorization commands 1 default group ISE_TACACS local

aaa authorization commands 15 default group ISE_TACACS local

aaa authorization config-commands

aaa authorization console

aaa accounting exec default start-stop group ISE_TACACS

aaa accounting commands 1 default start-stop group ISE_TACACS

aaa accounting commands 15 default start-stop group ISE_TACACS

 

! Set command authorization on VTY lines 0 through 4

line vty 0 4

    authorization exec tacacs

    authorization commands 0 tacacs

    authorization commands 1 tacacs

    authorization commands 15 tacacs