01-16-2012 11:03 PM - edited 03-10-2019 06:43 PM
Gooday
Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?
here is my current config
!
aaa group server tacacs+ tacacs1
server-private 183.x.x.x key 7 XXXXXX
ip vrf forwarding NMS
ip tacacs source-interface Vlan89
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
ip vrf NMS
description OOB NMS VRF
rd 110:100
!
interface Vlan89
description to DIA monitoring
ip vrf forwarding NMS
ip address 183.109.191.11 255.255.255.0
end
ip vrf NMS
thanks
Solved! Go to Solution.
01-17-2012 07:24 AM
Hello Lester,
Please refer to the following configuration:
aaa group server tacacs+ vrftacacs
server-private x.x.x.y key XXXX
ip vrf forwarding mgmtVrf
ip tacacs source-interface FastEthernet1
aaa authentication login default group vrftacacs local
aaa authentication enable default group vrftacacs enable
ip vrf mgmtVrf
interface FastEthernet1
ip vrf forwarding mgmtVrf
ip address x.x.x.x y.y.y.y
speed auto
duplex auto
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 z.z.z.z
It seems that you are missing the appropriate "TACACS+ Group" on the AAA statements. You are using "group tacacs+" instead of the appropriate one that should be "group tacacs1".
Please let us know the results.
Regards.
01-18-2012 03:55 PM
Lester,
Now that you shared the working and not working IOS version I was able to find the root cause of the issue: BUG
VRF aware tacacs config does not work | |
Symptom: TACACS+ authentication fails for all users. Conditions:Occurs only in VRF TACACS+ setup, when ip vrf forwarding < vrf name> command is configured for AAA TACACS+ server group under aaa group server tacacs+. Workaround:There is no workaround. |
IOS version 12.4(17a) is listed as a known affected version while 12.4(17b) is listed as a fixed version. Great approach testing the configuration on another IOS Version.
Best Regards.
01-17-2012 07:24 AM
Hello Lester,
Please refer to the following configuration:
aaa group server tacacs+ vrftacacs
server-private x.x.x.y key XXXX
ip vrf forwarding mgmtVrf
ip tacacs source-interface FastEthernet1
aaa authentication login default group vrftacacs local
aaa authentication enable default group vrftacacs enable
ip vrf mgmtVrf
interface FastEthernet1
ip vrf forwarding mgmtVrf
ip address x.x.x.x y.y.y.y
speed auto
duplex auto
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 z.z.z.z
It seems that you are missing the appropriate "TACACS+ Group" on the AAA statements. You are using "group tacacs+" instead of the appropriate one that should be "group tacacs1".
Please let us know the results.
Regards.
01-17-2012 08:19 AM
Dear Carlos,
Appreciated your reply, unfortunately it still not working, but its half way to resolve now. here is the screencap
if i telnet into the router, firstly it will ask for the local account and after i enable for the priviledge mode, it will ask for the acs account, below is the current config
UNAUTHORISED ACCESS TO THIS SYSTEM IS STRICTLY PROHIBITED
All data and information held on or in, or generated by this system is
proprietary and confidential. Any unauthorised use or unauthorised
disclosure of such information is strictly prohibited. Violators will be
prosecuted to the fullest extent of local, state and federal laws.
User Access Verification
Password:
Session activated. Enter commands at the prompt.
You have entered crt-tw1-602. on line 450 ()
crt-tw1-602>ena
Username ACS:lesterm.admin
Password:
crt-tw1-602#
current config
aaa group server tacacs+ tacacs1
server-private 183.x.x.x key 7 xxxxxxxx
ip vrf forwarding NMS
ip tacacs source-interface Vlan89
!
aaa authentication login default group tacacs1 enable
aaa authentication enable default group tacacs1 enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
01-17-2012 08:23 AM
Lester,
The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
Please, share the outputs with us.
Regards.
01-17-2012 08:31 AM
thanks Carlos,
I followed your suggestion, i think there will be only change in the aaa authentication statement,
I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection
The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.
ans: yes, first it will ask for the local password
below is the debug
AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#
crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602#
AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#
crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602#
01-17-2012 08:54 AM
Hello Lester,
Do you have "tacacs-server" commands on your running configuration? For example:
tacacs-server host 1.1.1.1 key cisco123
tacacs-server host 2.2.2.2 key cisco123
tacacs-server timeout 10
If not, can you define your TACACS+ server IP address and key as described above?
Regards.
01-18-2012 11:30 AM
Hello Lester,
Were you able to test my last suggestion and test again?
Regards.
01-18-2012 03:42 PM
Dear Carlos,
I've tried to configure your first suggestion to different (2nd)router and its working, the only difference is the IOS, then i decided to configure again to my 3rd router with the same IOS as my 1st router and it was failed again with the same error
c3845-ipbase-mz.124-17b.bin - working
c3845-ipbase-mz.124-17a.bin - not working
my working config below
!
aaa group server tacacs+ tacacs1
server-private 183.111.21.100 key 7 08701E430E1F100D08025C5D
ip vrf forwarding NMS
ip tacacs source-interface Vlan89
!
aaa authentication login default group tacacs1 enable
aaa authentication enable default group tacacs1 enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
! !
aaa group server tacacs+ tacacs1
server-private 183.X.X.X key 7 XXXXXX
ip vrf forwarding NMS
ip tacacs source-interface Vlan89
!
aaa authentication login default group tacacs1 enable
aaa authentication enable default group tacacs1 enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
!
im just thinking this is due to IOS? any advice?
thanks
01-18-2012 03:55 PM
Lester,
Now that you shared the working and not working IOS version I was able to find the root cause of the issue: BUG
VRF aware tacacs config does not work | |
Symptom: TACACS+ authentication fails for all users. Conditions:Occurs only in VRF TACACS+ setup, when ip vrf forwarding < vrf name> command is configured for AAA TACACS+ server group under aaa group server tacacs+. Workaround:There is no workaround. |
IOS version 12.4(17a) is listed as a known affected version while 12.4(17b) is listed as a fixed version. Great approach testing the configuration on another IOS Version.
Best Regards.
01-18-2012 04:25 PM
Dear Carlo
I really appreciated your kind help and expertise
have a nice day
rgds
lester
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: