TACACS implementation failed

Adam David · ‎04-01-2011

Hi,

I’ve been working to enable TACACS on firewall Cisco-ASA-FW. For unknown reason, I can’t authenticate with the ACS server using TACACS id. Therefore, I would appreciate if you could share with me how to troubleshoot and fix this problem. Thanks

This is the config of aaa-server.

Cisco-ASA-FW# sh run aaa-server

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.1.1
timeout 5
key ******
aaa-server TACACS+ (inside) host 192.168.1.2

timeout 5

key ******

Cisco-ASA-FW#

I did a testing on aaa-server authentication, however the Authentication Server not responding.

Cisco-ASA-FW# test aaa-server authentication TACACS+

Server IP Address or name: 192.168.1.1
Username: networker
Password: **********
INFO: Attempting Authentication test to IP address <192.168.1.1>(timeout: 10 seconds)

ERROR: Authentication Server not responding: No error

Cisco-ASA-FW#

Cisco-ASA-FW# test aaa-server authentication TACACS+

Server IP Address or name: 192.168.1.2

Username: networker

Password: **********

INFO: Attempting Authentication test to IP address <192.168.1.2>(timeout: 10 seconds)

ERROR: Authentication Server not responding: No error
Cisco-ASA-FW#

I did a further checking on the firewall and found this.

Cisco-ASA-FW#sh log | i 192.168.1.1

Mar 31 2011 09:39:07 10.10.10.10 : %ASA-2-113023: AAA Marking TACACS+ server 192.168.1.1 in aaa-server group TACACS+ as ACTIVE

Mar 31 2011 10:02:46 10.10.10.10 : %ASA-2-113022: AAA Marking TACACS+ server 192.168.1.1 in aaa-server group TACACS+ asFAILED
Mar 31 2011 10:13:07 10.10.10.10 : %ASA-2-113023: AAA Marking TACACS+ server 192.168.1.1 in aaa-server group TACACS+ as ACTIVE

Mar 31 2011 10:36:17 10.10.10.10 : %ASA-2-113022: AAA Marking TACACS+ server 192.168.1.1 in aaa-server group TACACS+ as FAILED

This is the log that I found on syslog server

UNIX-Server{networker}: tail -f logfile | grep Cisco-ASA-FW | grep 192.168.1.1

Mar 31 10:10:23 Cisco-ASA-FW Apr 01 2011 10:10:23 10.10.10.10 : %ASA-6-302013: Built outbound TCP connection 4036746 for inside:192.168.1.1/49 (192.168.1.1/49) to identity:172.16.10.10/39567 (172.16.10.10/39567)

Mar 31 10:10:23 Cisco-ASA-FW Apr 01 2011 10:10:23 10.10.10.10 : %ASA-6-110003: Routing failed to locate next hop for TCP from identity:172.16.10.10/39567to inside:192.168.1.1/49

Mar 31 10:12:08 Cisco-ASA-FW Apr 01 2011 10:12:08 10.10.10.10 : %ASA-6-302013: Built outbound TCP connection 4036779 for inside:192.168.1.1/49 (192.168.1.1/49) to identity:172.16.10.10/31388 (172.16.10.10/31388)

Mar 31 10:12:08 Cisco-ASA-FW Apr 01 2011 10:12:08 10.10.10.10 : %ASA-6-110003: Routing failed to locate next hop for TCP from identity:172.16.10.10/31388 to inside:192.168.1.1/49

Based on the error message above, I've found this info from Cisco website.

Shrikant Sundaresh · ‎04-01-2011

Hi Adam,

Could you please show/check the outputs of the interface ip addresses and the routing table on the ASA?

It appears that the TACACS servers are not in a directly connected subnet.

Has a static route been defined to that subnet on the inside interface?

"show route" will show the routing table. Check if there is a route to the Tacacs subnet.

To configure a static route:

route inside 192.168.1.0 255.255.255.0

Please let me know if this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks.

andamani · ‎04-01-2011

Hi Adam,

Please enable the following debugs on the ASA

deb aaa authentication

deb tacacs 255

run a test aaa and please paste the output of the debugs along with the logs on the ACS server.

what do the ACS failed attempt logs say?

if there are no records there, then could check for the corresponding entry on the event viewer of windows in case of ACS for windows.

Hope this helps.

Regards,

Anisha.

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.