Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2002
Views
5
Helpful
2
Replies

Cannot login into Router using TACACS+

nfordhk
Level 1
Level 1

‎03-16-2012 01:32 PM - edited ‎03-10-2019 06:54 PM

Hello,

I cannot log into my OSPF router using TACACS+ below are the debug messages

.Mar 16 16:20:29: TPLUS(0000004F)/0/NB_WAIT/661E1170: timed out, clean up

.Mar 16 16:20:29: TPLUS(0000004F)/0/661E1170: Processing the reply packet

.Mar 16 16:24:46: TAC+: Using default tacacs server-group "TACACS-SERVERS" list.

.Mar 16 16:24:46: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

.Mar 16 16:24:51: TAC+: TCP/IP open to x.x.x.x/49 failed -- Connection timed out; remote host not responding

.Mar 16 16:24:51: TPLUS: Queuing AAA Accounting request 75 for processing

.Mar 16 16:24:51: TPLUS: processing accounting request id 75

.Mar 16 16:24:51: TPLUS: Sending AV task_id=627

.Mar 16 16:24:51: TPLUS: Sending AV timezone=EDT

.Mar 16 16:24:51: TPLUS: Sending AV service=shell

.Mar 16 16:24:51: TPLUS: Sending AV start_time=1331929491

.Mar 16 16:24:51: TPLUS: Sending AV priv-lvl=1

.Mar 16 16:24:51: TPLUS: Sending AV cmd=show logging <cr>

.Mar 16 16:24:51: TPLUS: Accounting request created for 75(backup)

.Mar 16 16:24:51: TPLUS: Using server x.x.x.x .Mar 16 16:20:29: TPLUS(0000004F)/0/NB_WAIT/661E1170: timed out, clean up
.Mar 16 16:20:29: TPLUS(0000004F)/0/661E1170: Processing the reply packet
.Mar 16 16:24:46: TAC+: Using default tacacs server-group "TACACS-SERVERS" list.
.Mar 16 16:24:46: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
.Mar 16 16:24:51: TAC+: TCP/IP open to x.x.x.x/49 failed -- Connection timed out; remote host not responding
.Mar 16 16:24:51: TPLUS: Queuing AAA Accounting request 75 for processing
.Mar 16 16:24:51: TPLUS: processing accounting request id 75
.Mar 16 16:24:51: TPLUS: Sending AV task_id=627
.Mar 16 16:24:51: TPLUS: Sending AV timezone=EDT
.Mar 16 16:24:51: TPLUS: Sending AV service=shell
.Mar 16 16:24:51: TPLUS: Sending AV start_time=1331929491
.Mar 16 16:24:51: TPLUS: Sending AV priv-lvl=1
.Mar 16 16:24:51: TPLUS: Sending AV cmd=show logging <cr>
.Mar 16 16:24:51: TPLUS: Accounting request created for 75(backup)
.Mar 16 16:24:51: TPLUS: Using server x.x.x.x

I have comfirmed the IP on the server. The router can ping the TACACS+ server and telnet over port 49. I have confirmed the ip has a route. I have deleted / readded the entry on the ACS server. I have verfiied the TACACS+ key several times.

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎03-17-2012 03:05 PM

What version code is running on your router and what version of ACS are you running? Is this a new installation or did this start all of a sudden?

Also what is the source interface for the tacacs request? You may need to specify the source interface to send the tacacs request from.

Thanks,

Tarik Admani

0 Helpful

mavespig
Level 3
Level 3

‎03-19-2012 03:24 AM

Hi Nicholas,

As Tarik wrote, be sure that the remote server is aware of the source-interface configured on the router.

Can you try to telnet to the server?

telnet 1.1.1.1 49 /source-interface

You should be able to see "CONNECT".

You can also try to use the test aaa command, and see if your user get successfully authenticated.

'test aaa group tacacs legacy'

Regards

Marco

Customers Also Viewed These Support Documents