10-14-2013 05:51 AM - edited 03-04-2019 09:18 PM
Hi,
I have implemented OSPF and configured tacacs server for central logging and it worked fine. Now, I have changed the dynamic routing protocol to EIGRP but I couldn't get the username and password screen while trying to loging to router. When I try to login the router asks for password not the username. The EIGRP is working fine but tacacs is not working. What may be the problem ? Please help.
Regards,
Mero
Solved! Go to Solution.
10-20-2013 09:59 AM
Hi mero ,
Can you please check this command output on your router
test aaa group tacacs+
Regards,
Ashish Shirkar
10-20-2013 10:49 AM
The debug output that Mero posted seems to show that TACACS is working see especially this line
*Oct 19 05:38:11.167: AAA/AUTHEN/ENABLE(00000016): Done status PASS
and this one
*Oct 19 05:38:15.551: AAA/AUTHEN(3964033291): Status=PASS*Oct 19 05:38:15.555:
So it makes me want to ask Mero for some clarification of what is happening. When I read the original post again I think that it does not say that TACACS is not working but the issue seems to be that he is prompted only for a password and not for a user name. So I would ask Mero when you put in t a password is it the password associated with your user ID or is it the enable password?
I know that if I have logged in to a router or switch which has authenticated me and then I initiate SSH to another router or switch then I am not prompted for username but am prompted only for a password. I wonder if this is what is happening to Mero.
HTH
Rick
10-14-2013 06:25 AM
Hi,
Can you post the aaa config along with tacacs config as well as sh ip route output.
Regards
Alain
Don't forget to rate helpful posts.
10-15-2013 03:51 AM
Hi Alain,
Please look at the following config files:
Router1# show run
Building configuration...
aaa new-model
!
!
aaa authentication login vtymethod group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default stop-only group tacacs+
!
aaa session-id common
!
tacacs-server host y.y.y.y
tacacs-server directed-request
tacacs-server key adklfna;dnf
ip tacacs source-interface Loopback0
line vty 0 4
password sfafasf
logging synchronous
login authentication vtymethod
transport input telnet ssh
Router1# show ip route
D*EX 0.0.0.0/0 [170/258816] via x.x.x.x, 00:01:26, FastEthernet0/1
Regards,
Mero
10-15-2013 03:58 AM
Hi,
Can you ping the tacacs server sourcing from loopback0 ?
Regards
Alain
Don't forget to rate helpful posts.
10-15-2013 04:11 AM
Hi Mero,
It seems like your tacacs server is unreachable,Try to ping your tacacs server with source loopback 0.As your tacacs server unreachable, devices are asking for password configured under line vty statement.
Regards,
Ashish Shirkar
10-15-2013 05:04 AM
Mero tells us that this problem started when he changed from using OSPF to using EIGRP. I wonder if perhaps he does not have a network statement that includes his loopback address? Perhaps he can provide clarification on this?
HTH
Rick
10-16-2013 12:35 AM
Hi Everyone,
I can ping from the loopback interface, what may be the problem?
Regards,
Mero
10-16-2013 05:02 AM
Mero
Is it possible that while changing the routing protocol that you also changed the IP address of the loopback interface?
It might shed some light on the issue if you post the output of show tacacs.
If that does not identify the problem then I would ask that you run debug aaa authentication and debug tacacs and to post the output of debug generated when you attempt to login and to authenticate.
HTH
Rick
10-18-2013 10:56 PM
Hi Burts,
Thanks for your kind reply. Please read the following output:
Router1#show tacacs
Tacacs+ Server : x.x.x.x/49
Socket opens: 145
Socket closes: 145
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 58
Total Packets Sent: 51
Total Packets Recv: 49
Debugging Output:
*Oct 19 05:38:08.499: AAA/BIND(00000016): Bind i/f
*Oct 19 05:38:08.499: AAA/AUTHEN/LOGIN (00000016): Pick method list 'vtymethod'
*Oct 19 05:38:08.499: TPLUS: Queuing AAA Authentication request 22 for processing
*Oct 19 05:38:08.503: TPLUS: processing authentication start request id 22
*Oct 19 05:38:08.503: TPLUS: Authentication start packet created for 22()
*Oct 19 05:38:08.503: AAA/AUTHEN/ENABLE(00000016): Processing request action LOGIN
*Oct 19 05:38:08.503: AAA/AUTHEN/ENABLE(00000016): Done status GET_PASSWORD
*Oct 19 05:38:11.151: AAA/AUTHEN/ENABLE(00000016): Processing request action LOGIN
*Oct 19 05:38:11.167: AAA/AUTHEN/ENABLE(00000016): Done status PASS
*Oct 19 05:38:11.171: TPLUS: Queuing AAA Authorization request 22 for processing
*Oct 19 05:38:11.171: TPLUS: processing authorization request id 22
*Oct 19 05:38:11.171: TPLUS: Protocol set to None .....Skipping
*Oct 19 05:38:11.171: TPLUS: Sending AV service=shell
*Oct 19 05:38:11.171: TPLUS: Sending AV cmd*
*Oct 19 05:38:11.171: TPLUS: Authorization request created for 22()
*Oct 19 05:38:12.391: AAA: parse name=tty195 idb type=-1 tty=-1
*Oct 19 05:38:12.391: AAA: name=tty195 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=195 channel=0
*Oct 19 05:38:12.391: AAA/MEMORY: create_user (0x63D52928) user='NULL' ruser='NULL' ds0=0 port='tty195' rem_addr='x.x.x.x' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Oct 19 05:38:12.391: AAA/AUTHEN/START (3964033291): port='tty195' list='' action=LOGIN service=ENABLE
*Oct 19 05:38:12.391: AAA/AUTHEN/START (3964033291): non-console enable - default to enable password
*Oct 19 05:38:12.391: AAA/AUTHEN/START (3964033291): Method=ENABLE
*Oct 19 05:38:12.391: AAA/AUTHEN(3964033291): Status=GETPASS
*Oct 19 05:38:15.535: AAA/AUTHEN/CONT (3964033291): continue_login (user='(undef)')
*Oct 19 05:38:15.535: AAA/AUTHEN(3964033291): Status=GETPASS
*Oct 19 05:38:15.535: AAA/AUTHEN/CONT (3964033291): Method=ENABLE
*Oct 19 05:38:15.551: AAA/AUTHEN(3964033291): Status=PASS*Oct 19 05:38:15.555: AAA/MEMORY: free_user (0x63D52928) user='NULL' ruser='NULL' port='tty195' rem_addr='x.x.x.x' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Please help,
Mero
10-20-2013 09:59 AM
Hi mero ,
Can you please check this command output on your router
test aaa group tacacs+
Regards,
Ashish Shirkar
10-20-2013 10:49 AM
The debug output that Mero posted seems to show that TACACS is working see especially this line
*Oct 19 05:38:11.167: AAA/AUTHEN/ENABLE(00000016): Done status PASS
and this one
*Oct 19 05:38:15.551: AAA/AUTHEN(3964033291): Status=PASS*Oct 19 05:38:15.555:
So it makes me want to ask Mero for some clarification of what is happening. When I read the original post again I think that it does not say that TACACS is not working but the issue seems to be that he is prompted only for a password and not for a user name. So I would ask Mero when you put in t a password is it the password associated with your user ID or is it the enable password?
I know that if I have logged in to a router or switch which has authenticated me and then I initiate SSH to another router or switch then I am not prompted for username but am prompted only for a password. I wonder if this is what is happening to Mero.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide