05-20-2020 02:05 AM
Hi
I am unable to add ISR to our tacacs server. Same config works for other devices.
Never troubleshooted tacacs before .. any help with understanding the debugs and config would be great. Thank you
Using keyboard-interactive authentication. Password: Using keyboard-interactive authentication. CCCCCC AUTHENTICATION FAILED : ATTEMPT LOGGED Access denied Using keyboard-interactive authentication. Password: ! May 12 17:32:49.552: %AAAA-4-NOSERVER: Warning: Server 192.168.100.100 is not defined. *May 12 17:34:59.691: %AAAA-4-SERVUNDEF: The server-group "LDN_GROUP" is not defined. Please define it. *May 12 17:35:18.164: %TAC+: no address for get_server *May 12 17:35:18.164: %TAC+: no address for get_server *May 12 17:35:20.806: %TAC+: no address for get_server *May 12 17:35:20.806: %TAC+: no address for get_server *May 12 17:35:23.797: %TAC+: no address for get_server *May 12 17:35:23.797: %TAC+: no address for get_server *May 12 17:35:26.048: %TAC+: no address for get_server *May 12 17:35:26.048: %TAC+: no address for get_server *May 12 17:35:26.929: %TAC+: no address for get_server *May 12 17:35:26.929: %TAC+: no address for get_server Debug authentication *May 13 10:02:04.043: %TAC+: no address for get_server *May 13 10:02:04.043: %TAC+: no address for get_server *May 13 10:04:48.862: AAA/BIND(0000005A): Bind i/f *May 13 10:04:48.862: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default' *May 13 10:04:59.854: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default' *May 13 10:05:14.136: AAA: parse name=tty866 idb type=-1 tty=-1 *May 13 10:05:14.136: AAA: name=tty866 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=866 channel=0 *May 13 10:05:14.136: AAA/MEMORY: create_user (0x7F431AA29C68) user='test-user' ruser='ISR4431' ds0=0 port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) *May 13 10:05:15.579: TAC+: (-88903173): received author response status = FAIL *May 13 10:05:15.579: AAA/MEMORY: free_user (0x7F431AA29C68) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0) *May 13 10:05:38.649: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default' *May 13 10:06:30.019: AAA: parse name=tty866 idb type=-1 tty=-1 *May 13 10:06:30.019: AAA: name=tty866 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=866 channel=0 *May 13 10:06:30.019: AAA/MEMORY: create_user (0x7F430CEE0620) user='test-user' ruser='ISR4431' ds0=0 port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) ISR4431# debug authorization *May 13 10:21:38.253: AAA/AUTHOR (4089241502): Post authorization status = ERROR *May 13 10:21:38.253: tty866 AAA/AUTHOR/CMD (4089241502): Method=IF_AUTHEN *May 13 10:21:38.253: AAA/AUTHOR (4089241502): Post authorization status = PASS_ADD *May 13 10:21:38.253: AAA/MEMORY: free_user (0x7F430CEDE318) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0) ISR4431# debug Tacacs ISR4431#debug tacacs *May 13 10:22:58.338: AAA/AUTHOR: auth_need : user= 'test-user' ruser= 'ISR4431'rem_addr= '192.168.200.100' priv= 15 list= '' AUTHOR-TYPE= 'commands' *May 13 10:22:58.338: AAA: parse name=tty866 idb type=-1 tty=-1 *May 13 10:22:58.338: AAA: name=tty866 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=866 channel=0 *May 13 10:22:58.338: AAA/MEMORY: create_user (0x7F430CEE0620) user='test-user' ruser='ISR4431' ds0=0 port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) *May 13 10:22:58.338: tty866 AAA/AUTHOR/CMD (2119122419): Port='tty866' list='' service=CMD *May 13 10:22:58.338: AAA/AUTHOR/CMD: tty866 (2119122419) user='test-user' *May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV service=shell *May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV cmd=debug *May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV cmd-arg=tacacs *May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): send AV cmd-arg=<cr> *May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD(2119122419): found list "default" *May 13 10:22:58.339: tty866 AAA/AUTHOR/CMD (2119122419): Method=LDN_TACACS (tacacs+) *May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): user=test-user TACACS access control debugging is on ISR4431# *May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV service=shell *May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV cmd=debug *May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV cmd-arg=tacacs *May 13 10:22:58.339: AAA/AUTHOR/TAC+: (2119122419): send AV cmd-arg=<cr> *May 13 10:22:59.683: AAA/AUTHOR (2119122419): Post authorization status = ERROR *May 13 10:22:59.683: tty866 AAA/AUTHOR/CMD (2119122419): Method=IF_AUTHEN *May 13 10:22:59.683: AAA/AUTHOR (2119122419): Post authorization status = PASS_ADD *May 13 10:22:59.683: AAA/MEMORY: free_user (0x7F430CEE0620) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0) *May 13 10:22:59.683: TPLUS: Queuing AAA Accounting request 91 for processing *May 13 10:22:59.683: TPLUS: processing accounting request id 91 *May 13 10:22:59.684: TPLUS: Sending AV task_id=692 *May 13 10:22:59.684: TPLUS: Sending AV timezone=UTC ISR4431# *May 13 10:22:59.684: TPLUS: Sending AV service=shell *May 13 10:22:59.684: TPLUS: Sending AV priv-lvl=15 *May 13 10:22:59.684: TPLUS: Sending AV cmd=debug tacacs <cr> *May 13 10:22:59.684: TPLUS: Accounting request created for 91(test-user) *May 13 10:22:59.684: TPLUS: using previously set server 192.168.100.100 from group tacacs+ *May 13 10:22:59.684: TPLUS(0000005B)/0/NB_WAIT/7F431AAC1E20: Started 5 sec timeout *May 13 10:23:00.331: TPLUS(0000005B)/0/NB_WAIT: socket event 2 *May 13 10:23:00.331: TPLUS(0000005B)/0/NB_WAIT: wrote entire 120 bytes request *May 13 10:23:00.331: TPLUS(0000005B)/0/READ: socket event 1 ISR4431# *May 13 10:23:00.331: TPLUS(0000005B)/0/READ: Would block while reading *May 13 10:23:00.974: TPLUS(0000005B)/0/READ: socket event 1 *May 13 10:23:00.974: TPLUS(0000005B)/0/READ: errno 254 *May 13 10:23:00.974: TPLUS(0000005B)/0/7F431AAC1E20: Processing the reply packet ISR4431# *May 13 10:24:20.787: TAC+: 192.168.100.100 (18446744073285523215) AUTHOR/START queued *May 13 10:24:21.587: TAC+: (18446744073285523215) AUTHOR/START processed *May 13 10:24:21.587: TAC+: (-424028401): received author response status = FAIL *May 13 10:24:21.587: TAC+: Closing TCP/IP 0x7F431AA4A0F8 connection to 192.168.100.100/49 *May 13 10:24:21.587: AAA/AUTHOR (3870938895): Post authorization status = FAIL *May 13 10:24:21.587: AAA/MEMORY: free_user (0x7F430D8166E0) user='test-user' ruser='ISR4431' port='tty866' rem_addr='192.168.200.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0) ISR4431#
Config
aaa new-model ! ! aaa group server tacacs+ LDN_TACACS server name LDN server 192.168.100.100 ip tacacs source-interface GigabitEthernet0/0/1 ! aaa authentication fail-message ^CCCCCCC AUTHENTICATION FAILED : ATTEMPT LOGGED ^C aaa authentication login default group LDN_TACACS local aaa authentication login LDN_GROUP group LDN_TACACS local aaa authentication login LDN_TACACS group tacacs+ local aaa authentication login console group LDN_GROUP local aaa authentication enable default group LDN_TACACS enable aaa authorization console aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization exec LDN_GROUP local aaa authorization commands 1 default group LDN_TACACS if-authenticated aaa authorization commands 15 default group LDN_TACACS if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host 192.168.100.100 key 7 <key>
05-20-2020 02:18 AM
Hi Dan,
Your configuration needs some changes.
Please use the following template and adjust to your environment
*Credits for the template goes to Brad Johnson
! Define the TACACS+ servers
tacacs server [ISE PSN 1 Name]
address ipv4 [ISE PSN 1 IP]
key [TACACS Secret]
tacacs server [ISE PSN 2 Name]
address ipv4 [ISE PSN 2 IP]
key [TACACS Secret]
! Define the TACACS+ server groups
aaa group server tacacs+ ISE_TACACS
server name [ISE PSN 1 Name]
server name [ISE PSN 2 Name]
! Configure AAA for TACACS+ authentication with local fallback
aaa authentication login default group ISE_TACACS local
aaa authentication enable default group ISE_TACACS enable
aaa authorization exec default group ISE_TACACS local
aaa authorization commands 0 default group ISE_TACACS local
aaa authorization commands 1 default group ISE_TACACS local
aaa authorization commands 15 default group ISE_TACACS local
aaa authorization config-commands
aaa authorization console
aaa accounting exec default start-stop group ISE_TACACS
aaa accounting commands 1 default start-stop group ISE_TACACS
aaa accounting commands 15 default start-stop group ISE_TACACS
! Set command authorization on VTY lines 0 through 4
line vty 0 4
authorization exec tacacs
authorization commands 0 tacacs
authorization commands 1 tacacs
authorization commands 15 tacacs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide