PPP Authentication: OK with RADIUS KO with TACACS+ (ACS 5.2)

giovanni.augusto · ‎08-21-2011

Hi everybody

For CCNA security i was testing a lab made of two routers connected by a serial ppp interface and able to reach a Cisco ACS 5.2 AAA Server through a Fast Ethernet 0/0 both.

Now my problem is that using RADIUS i am able to authenticate the ppp connection between the routers but i cannot do the same with TACACS+.

Thinking about a ACS 5.2 configuration issue i also tryed to manipulate the Service Selection Rules in order to direct TACACS+ authorization to Default Network Access insted of Default Device Admin but with no success.

Any help is appreciated, here the routers debug and configs.

Thank you all

debug ppp authentication (from router-A WITH TACACS+)

*Mar 1 02:31:53.295: Se0/0 PPP: Authorization required
*Mar 1 02:31:55.299: Se0/0 CHAP: O CHALLENGE id 231 len 29 from "ciscoACS"
*Mar 1 02:31:55.327: Se0/0 CHAP: I CHALLENGE id 234 len 30 from "ciscoACS2"
*Mar 1 02:31:55.375: Se0/0 CHAP: Using hostname from interface CHAP
*Mar 1 02:31:55.375: Se0/0 CHAP: Using password from interface CHAP
*Mar 1 02:31:55.379: Se0/0 CHAP: O RESPONSE id 234 len 29 from "ciscoACS"
*Mar 1 02:31:55.383: Se0/0 CHAP: I RESPONSE id 231 len 30 from "ciscoACS2"
*Mar 1 02:31:55.403: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 02:31:55.455: Se0/0 PPP: Received LOGIN Response FAIL
*Mar 1 02:31:55.459: Se0/0 CHAP: O FAILURE id 231 len 25 msg is "Authentication failed"

-----------------------------------------------------------------------------------------------

debug ppp authentication (from router-B WITH TACACS+)

*Mar 1 02:28:53.347: Se0/0 PPP: Authorization required
*Mar 1 02:28:53.383: Se0/0 CHAP: O CHALLENGE id 184 len 30 from "ciscoACS2"
*Mar 1 02:28:53.391: Se0/0 CHAP: I CHALLENGE id 181 len 29 from "ciscoACS"
*Mar 1 02:28:53.455: Se0/0 CHAP: Using hostname from interface CHAP
*Mar 1 02:28:53.455: Se0/0 CHAP: Using password from interface CHAP
*Mar 1 02:28:53.459: Se0/0 CHAP: O RESPONSE id 181 len 30 from "ciscoACS2"
*Mar 1 02:28:53.463: Se0/0 CHAP: I RESPONSE id 184 len 29 from "ciscoACS"
*Mar 1 02:28:53.483: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 02:28:53.535: Se0/0 PPP: Received LOGIN Response FAIL
*Mar 1 02:28:53.543: Se0/0 CHAP: O FAILURE id 184 len 25 msg is "Authentication failed"

-----------------------------------------------------------------------------------------------

Router-A configuration (with TACACS+ for PPP -> NOT WORKING)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-A
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp ACS_PPP_AUTHENTICATION group tacacs+
aaa authorization network ACS_NET_AUTHORIZATION group tacacs+
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.3 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.254
encapsulation ppp
clock rate 2000000
ppp authentication chap ACS_PPP_AUTHENTICATION
ppp authorization ACS_NET_AUTHORIZATION
ppp chap hostname ciscoACS
ppp chap password 0 ciscoACS
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip http server
no ip http secure-server
!
!
!
!
tacacs-server host 172.16.1.254 key ciscoACS
tacacs-server directed-request
radius-server host 172.16.1.254 auth-port 1645 acct-port 1646 key ciscoACS
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end

-----------------------------------------------------------------------------------------------

Router-B configuration (with TACACS+ for PPP -> NOT WORKING)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-B
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp ACS_PPP_AUTHENTICATION group tacacs+
aaa authorization network ACS_NET_AUTHORIZATION group tacacs+
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.4 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.254
encapsulation ppp
clock rate 2000000
ppp authentication chap ACS_PPP_AUTHENTICATION
ppp authorization ACS_NET_AUTHORIZATION
ppp chap hostname ciscoACS2
ppp chap password 0 ciscoACS
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
!
!
!
tacacs-server host 172.16.1.254 key ciscoACS
tacacs-server directed-request
radius-server host 172.16.1.254 auth-port 1645 acct-port 1646 key ciscoACS
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

-----------------------------------------------------------------------------------------------

Router-A configuration (with RAIDUS for PPP -> WORKING)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-A
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp ACS_PPP_AUTHENTICATION group radius
aaa authorization network ACS_NET_AUTHORIZATION group radius
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.3 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.254
encapsulation ppp
clock rate 2000000
ppp authentication chap ACS_PPP_AUTHENTICATION
ppp authorization ACS_NET_AUTHORIZATION
ppp chap hostname ciscoACS
ppp chap password 0 ciscoACS
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip http server
no ip http secure-server
!
!
!
!
tacacs-server host 172.16.1.254 key ciscoACS
tacacs-server directed-request
radius-server host 172.16.1.254 auth-port 1645 acct-port 1646 key ciscoACS
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end

-----------------------------------------------------------------------------------------------

Router-B configuration (with RADIUS for PPP -> WORKING)

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-B
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp ACS_PPP_AUTHENTICATION group radius
aaa authorization network ACS_NET_AUTHORIZATION group radius
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.4 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.254
encapsulation ppp
clock rate 2000000
ppp authentication chap ACS_PPP_AUTHENTICATION
ppp authorization ACS_NET_AUTHORIZATION
ppp chap hostname ciscoACS2
ppp chap password 0 ciscoACS
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
!
!
!
tacacs-server host 172.16.1.254 key ciscoACS
tacacs-server directed-request
radius-server host 172.16.1.254 auth-port 1645 acct-port 1646 key ciscoACS
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

-----------------------------------------------------------------------------------------------

giovanni.augusto · ‎08-22-2011

Ok, Ok i admit it was my fault to not use that common and sometimes strangely new feature probably older than me called "SEARCH"

I checked another discussion regarding the same subject and it turned out by their knowledge that ACS 5.x manage

TACACS+ only for Device Administration
RADIUS for Network Access

Any other way doesn't work...any other opinion? ( i just can't help the fact that Cisco doesn't let use TACACS+ for PPP Authentication...does anybody knows why?)

giovanni.augusto · ‎08-22-2011

UPDATE: I was able to authenticate with ppp and chap with another shareware server...is it sure that Cisco ACS doesn't allow this completely???