cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4994
Views
0
Helpful
6
Replies
Beginner

AAA authentication TACACs failed

Hi,

I've been configured my device 6506-9 with TACACS+ server authentication:

enable password 7 1414131F5C542638
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs enable
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization network default group tacacs+
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common

!

ip tacacs source-interface Vlan4

!

tacacs-server host 10.4.X.X key 7 1 044A1E030D345F4D080A554745
tacacs-server directed-request
tacacs-server key 7 12081012101E1F072B3874786475
!

interface Vlan4
description Servers
ip address 10.4.X.X 255.255.0.0
no ip redirects
standby 1 ip 10.4.X.X

!

but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

device#  telnet 10.1.1.3
Trying 10.1.1.3 ... Open


User Access Verification

Password:

Thanks!

6 REPLIES 6
Enthusiast

Re: AAA authentication TACACs failed

You have configured the default authentication method to use TACACS+ with a fallback of line password.


Since you are being prompted for the line password, it appears that the router can't contact the TACACS+ server.

Please enable these debugs, recreate the problem and show us the output:

debug aaa authentication

debug tacacs

You will also want to make sure that you can reach the TACACS+ server when sourcing packets from VLAN 4.

Beginner

Re: AAA authentication TACACs failed

Hi,
from 2 Cat6509 that form the core of the network, I can ping the TACACS  server (from other network equipment, TACACS works without  problems)
:

Core1 # ping 10.4.2.33
Type escape sequence to abort.
Sending 5, 100-byte  ICMP Echos to 10.4.2.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5  / 5), round-trip min / avg / max = 1/1/4 ms

Core1 # ping
Protocol  [ip]:
Target IP  address: 10.4.2.33
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or  interface: 10.4.1.253
Type  of service [0]:
September  DF bit in IP header? [no]:
Validate reply data? [no]:
Data  pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose  [none]:
Sweep range of  sizes [n]:
Type  escape sequence to abort.
Sending 5, 100-byte ICMP  Echos to 10.4.2.33, timeout is 2 seconds:
Packet sent with a source  address of 10.4.1.253
!!!!!
Success rate is 100 percent (5 / 5), round-trip min / avg /  max = 1/1/4 ms

I completed the debugging that you've recommended (attached file).

Thank you very much for your  reply.

Re: AAA authentication TACACs failed

Make sure ACS have IP address of VLAN 4 listed under aaa-clients.



Regards,

~JG

Beginner

Re: AAA authentication TACACs failed

Hi,

The IP management of all  network equipment is in vlan1 with IP range: 10.1.XX/16
The TACACS  server IP is on VLAN 4 with addressing 10.4.XX/16.
In the TACACS server is  allowed the full range of VLAN1 to authenticate, and all network equipment properly do, except the CORE devices...(Cat6509)

Thanks!

Enthusiast

Re: AAA authentication TACACs failed

In the debug output we see:

Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT/524FDA08: Started 5 sec timeout
Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT: socket event 2
Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT: wrote entire 51 bytes request
Mar 22 17:14:58: TPLUS(00000061)/0/READ: socket event 1
Mar 22 17:14:58: TPLUS(00000061)/0/READ: Would block while reading
Mar 22 17:14:58: TPLUS(00000061)/0/READ: socket event 1
Mar 22 17:14:58: TPLUS(00000061)/0/READ: errno 254
Mar 22 17:14:58: TPLUS(00000061)/0/524FDA08: Processing the reply packet

That suggests a mismatched TACACS+ shared secret, please check into this.

Highlighted
Beginner

AAA authentication TACACs failed

I, too, am having issue.

Solutions attempted, but still failed:

1. entered tacacs key again

2. restarted Cisco ACS 5.2 server

3. added "ip tacacs source-interface" command

Here's the original post I created.  I didnt know what to search originally, so created a separate topic/thread.

https://supportforums.cisco.com/thread/2203407

Thank you,

Adam