cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1867
Views
0
Helpful
5
Replies

Tacacs authentication problem.

rcapao
Level 1
Level 1

Hy,

I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).

All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.

I have an ACS v.4.x to use as a Tacacs server.

In all the equipments I have aaa authentication with tacacs and vlans.

To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.

With this scenario the tacacs authentication works.

If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.

I do not understand why!!?

I have another problem, this time with the firewall.

I configured the tacacs and the aaa in the firewall, as advised by Cisco.

But it seems that it doesn’t work!

In this two cases only the local authentication works.

Can you help me, please?

Thanks in advance,

                      Rui Oliveira

5 Replies 5

maldehne
Cisco Employee
Cisco Employee

What can you see in the failed attempts when are you trying to login to the swtich?

Also what can you see in the failed attempts when you are not able to logint to the FW?

Hy,

I am doing tests in a Lab.

So, the addresses presented here are not Internet routable.

I´m doing the tests with a switch that has the IP address 10.183.0.60.

My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.

I send the logging file that I take from my firewall.

Thanks,

           Rui

Hy,

I am doing tests in a Lab.

So, the addresses presented here are not Internet routable.

The configuration for the tacacs at the ASA is:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (OUT_MANGMT) host 172.16.20.10

key mykey

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authorization command LOCAL

aaa accounting enable console TACACS

aaa accounting telnet console TACACS

aaa accounting ssh console TACACS

aaa local authentication attempts max-fail 5

aaa authorization exec LOCAL

I´m doing the tests with an ASA with a the IP address 10.183.0.61.

And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.

Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .

I have another interface that a called GESTAO, with IP address 10.183.0.61.

This interface GESTAO is connected to a management vlan.

My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.

I send the logging file that I take from my firewall.

Thanks,

           Rui

Can you please capture sniffer trace while the issue is happenning on the ACS side.

Also provide the tacacs+ key to decrypt the tacaacs+ payload.

Hy,

I cannot do that, because de ACS is in a network that I do not control.

So, it will be very, very, difficult to sniff the traffic for that network, particularly to and from the ACS.

But, I think this problem in not in the ACS. Because if I put all the switch doing authentication without crossing over the firewall (using the bypass) I will have no problem in authenticating with the tacacs server.

In the other end, if I use the firewall to cross over to the tacacs server, I will not succeed in authenticating with that server.

With these observations, I take that I could have some kind of problem in the ASA that do not let me to authenticate properly with the tacacs server.

If I am doing something wrong, what is it? It´s configuration? It´s network design?

Can someone help me with this?

Thanks in advance,

                          Rui

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: