03-05-2013 02:46 PM - edited 03-10-2019 08:09 PM
ACS ver: 5.2
L3 Switch: C6509
IOS version: s72033-ipservices_wan-mz.122-33.SXI7.bin
All C6509 has the following aaa config:
username cisco-admin privilege 15 secret 5 #$%^&*gfnEhts$5678#
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xx.xx.xxx.12
tacacs-server timeout 15
tacacs-server directed-request
tacacs-server key blahblahblah
DSW4 remote session, note the prompt:
Username (asking for local username)
DSW3 remote session, note the prompt:
username (right off the bat, I know this is asking for the tacacs account)
DSW2 remote session, note the prompt:
username (right off the bat, I know this is asking for the tacacs account)
I can ping my ACS server from either DSW.
debug aaa authorization results:
DSW4
Mar 5 16:47:32.660: AAA/AUTHOR (915254943): Post authorization status = ERROR
Mar 5 16:47:32.660: tty1 AAA/AUTHOR/CMD (915254943): Method=LOCAL
Mar 5 16:47:32.660: AAA/AUTHOR (915254943): Post authorization status = PASS_ADD
DSW3 and DSW2
Mar 5 08:44:26.475 pacific: AAA/BIND(000003E3): Bind i/f
Mar 5 08:44:26.475 pacific: AAA/AUTHEN/LOGIN (000003E3): Pick method list 'default'
Mar 5 08:44:32.411 pacific: AAA/AUTHOR (0x3E3): Pick method list 'default'
Mar 5 08:44:32.415 pacific: AAA/AUTHOR/EXEC(000003E3): processing AV cmd=
Mar 5 08:44:32.415 pacific: AAA/AUTHOR/EXEC(000003E3): processing AV priv-lvl=15
Mar 5 08:44:32.415 pacific: AAA/AUTHOR/EXEC(000003E3): Authorization successful
Hundreds of other ASW that I manage have the same config and have no problems authentication thru tacacs.
I've been digging thru support community forum to see if anything matches my issue, no luck. Any input is highly appreciated.
Thank you.
Solved! Go to Solution.
04-18-2013 05:00 PM
You wrote that you already checked the keys in your post under other thread, However, debugs are still complaining about bad keys. Could you verify it again. While configuring key, avoid copy/paste.
Apr 18 15:19:17.629: TAC+: Invalid AUTHOR/START packet (check keys)
Also, I don't see an error from the ACS. Please add that as well if you issue persist.
Regards,
Jatin Katyal
- Do rate helpful posts -
04-17-2013 06:42 PM
Could you please provide the following information:
1.] Output of debugs
debug aaa authentication
debug tacacs
2.] test aaa group tacacs
3.] Error message from the ACS 5.x - tacacs authentication.
Jatin Katyal
- Do rate helpful posts -
04-18-2013 08:38 AM
J,
Attached is the debug output.
Also, I ran traceroute from other DSW and random ASW, see results below:
DSW4#traceroute 10.10.128.121
Type escape sequence to abort.
Tracing the route to 10.10.128.121
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
DSW2#traceroute 10.10.128.119
1 131.34.128.119 0 msec 0 msec 0 msec
I ran traceroute from all other switches, they all found the route to 10.10.128.121 via DSW1
Tracing the route to 10.10.128.121
1 10.10.10.24 0 msec 4 msec 0 msec
I might just create a static route to 10.10.128.121 from the two DSW that is having this issue. FYI, we are using eigrp.
04-18-2013 05:00 PM
You wrote that you already checked the keys in your post under other thread, However, debugs are still complaining about bad keys. Could you verify it again. While configuring key, avoid copy/paste.
Apr 18 15:19:17.629: TAC+: Invalid AUTHOR/START packet (check keys)
Also, I don't see an error from the ACS. Please add that as well if you issue persist.
Regards,
Jatin Katyal
- Do rate helpful posts -
04-19-2013 08:01 AM
J,
Thank you very much for asking about the ACS error!
So, I went to ACS dashboard [Authentication TACACS - Today and Yesterday]. Found multiple errors with reference to our HSRP standby/virtual IP. It was denying packets from 128.1, 128.2, and 128.3.
DESCRIPTION
A TACACS+ packet was received with a source IP Address that did not match any configured Network Device or AAA Client
RESOLUTION
Verify that the Network Device or AAA client is configured in Network Resources > Network Devices and AAA Clients >
I examined the IP on Network Devices and AAA clients, and added those three IP referenced above. Originally, I only had the Management VLAN IP range for network devices and AAA clients, and the ACS/LMS IPs. License we have is only good for 500 devices, manangement VLAN IP range was /23 [we're not using all IP, so I reverted back to /24].
J: Thank you for asking the RIGHT QUESTION!
All is well!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide