[ACS 4.1] Authentification troubles

h-etchepare · ‎04-09-2010

Dear all,

I have trouble with the integration of an Cisco ACS 4.1 on a LAN.

I cannot use the ACS for AAA.

See below the debug tacacs events and debug aaa authentification when I try a login on the switch :

Switch#login

000193: Apr 9 15:28:22.004: AAA: parse name=tty1 idb type=-1 tty=-1

000194: Apr 9 15:28:22.004: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

000195: Apr 9 15:28:22.004: AAA/MEMORY: create_user (0x80EBEF3C) user='' ruser='' port='tty1' rem_addr='10.57.200.39' authen_type=ASCII service=LOGIN priv=15

000196: Apr 9 15:28:22.004: AAA/AUTHEN/START (1634977832): port='tty1' list='default' action=LOGIN service=LOGIN

000197: Apr 9 15:28:22.004: AAA/AUTHEN/START (1634977832): found list default

000198: Apr 9 15:28:22.004: AAA/AUTHEN/START (1634977832): Method=tacacs+ (tacacs+)

000199: Apr 9 15:28:22.004: TAC+: send AUTHEN/START packet ver=192 id=1634977832

000200: Apr 9 15:28:22.008: TAC+: Opening TCP/IP to 10.52.176.224/49 timeout=5

000201: Apr 9 15:28:22.020: TAC+: Opened TCP/IP handle 0x80ECD79C to 10.52.176.224/49

000202: Apr 9 15:28:22.020: TAC+: periodic timer started

000203: Apr 9 15:28:22.020: TAC+: 10.52.176.224 req=80D681D4 Qd id=1634977832 ver=192 handle=0x80ECD79C (ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

000204: Apr 9 15:28:22.132: TAC+: 10.52.176.224 ESTAB id=1634977832 wrote 36 of 36 bytes

Username:

000205: Apr 9 15:28:22.132: TAC+: 10.52.176.224 req=80D681D4 Qd id=1634977832 ver=192 handle=0x80ECD79C (ESTAB) expire=4 AUTHEN/START/LOGIN/ASCII sent

000206: Apr 9 15:28:22.220: TAC+: 10.52.176.224 ESTAB read=12 wanted=12 alloc=12 got=12

000207: Apr 9 15:28:22.220: TAC+: 10.52.176.224 ESTAB read=28 wanted=28 alloc=28 got=16

000208: Apr 9 15:28:22.220: TAC+: 10.52.176.224 received 28 byte reply for 80D681D4

000209: Apr 9 15:28:22.220: TAC+: req=80D681D4 Tx id=1634977832 ver=192 handle=0x80ECD79C (ESTAB) expire=4 AUTHEN/START/LOGIN/ASCII processed

000210: Apr 9 15:28:22.220: TAC+: periodic timer stopped (queue empty)

000211: Apr 9 15:28:22.220: TAC+: ver=192 id=1634977832 received AUTHEN status = GETUSER

000212: Apr 9 15:28:22.224: AAA/AUTHEN (1634977832): status = GETUSERL0233669

% Authentication failed.

000213: Apr 9 15:28:39.876: AAA/AUTHEN/CONT (1634977832): continue_login (user='(undef)')

000214: Apr 9 15:28:39.876: AAA/AUTHEN (1634977832): status = GETUSER

000215: Apr 9 15:28:39.876: AAA/AUTHEN (1634977832): Method=tacacs+ (tacacs+)

000216: Apr 9 15:28:39.876: TAC+: send AUTHEN/CONT packet id=1634977832

000217: Apr 9 15:28:39.876: TAC+: periodic timer started

000218: Apr 9 15:28:39.876: TAC+: 10.52.176.224 req=80EB2630 Qd id=1634977832 ver=192 handle=0x80ECD79C (ESTAB) expire=5 AUTHEN/CONT queued

000219: Apr 9 15:28:39.976: TAC+: 10.52.176.224 ESTAB id=1634977832 wrote 25 of 25 bytes

000220: Apr 9 15:28:39.976: TAC+: 10.52.176.224 req=80EB2630 Qd id=1634977832 ver=192 handle=0x80ECD79C (ESTAB) expire=4 AUTHEN/CONT sent

000221: Apr 9 15:28:39.976: TAC+: 10.52.176.224 ESTAB read=12 wanted=12 alloc=12 got=12

000222: Apr 9 15:28:39.976: TAC+: 10.52.176.224 ESTAB read=70 wanted=70 alloc=70 got=58

000223: Apr 9 15:28:39.976: TAC+: 10.52.176.224 received 70 byte reply for 80EB2630

000224: Apr 9 15:28:39.980: TAC+: req=80EB2630 Tx id=1634977832 ver=192 handle=0x80ECD79C (ESTAB) expire=4 AUTHEN/CONT processed

000225: Apr 9 15:28:39.980: TAC+: periodic timer stopped (queue empty)

000226: Apr 9 15:28:39.980: TAC+: Closing TCP/IP 0x80ECD79C connection to 10.52.176.224/49

000227: Apr 9 15:28:39.984: AAA/AUTHEN (1634977832): status = ERROR

000228: Apr 9 15:28:39.984: AAA/AUTHEN/START (573714465): port='tty1' list='' action=LOGIN service=LOGIN

000229: Apr 9 15:28:39.984: AAA/AUTHEN/START (573714465): Restart

000230: Apr 9 15:28:39.984: AAA/AUTHEN/START (573714465): Method=LOCAL

000231: Apr 9 15:28:39.984: AAA/AUTHEN (573714465): User not found, end of method list

000232: Apr 9 15:28:39.984: AAA/AUTHEN (573714465): status = FAIL

C2950G-TTA-A-14LT1#

000233: Apr 9 15:28:41.984: AAA/MEMORY: free_user (0x80EBEF3C) user='L0233669' ruser='' port='tty1' rem_addr='10.57.200.39' authen_type=ASCII service=LOGIN

The IP address and the key on the switch are compliant with the ACS configuration.

Find below the aaa configuration on the switch;

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console-in group tacacs+ none
!
aaa authentication banner *
/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\/!\

line con 0
login authentication console-in
authorization exec console-in
authorization commands 14 console-in
authorization commands 15 console-in
!
aaa authent enable default group tacacs+ enable
!
aaa accounting exec default start-stop group tacacs+
aaa accounting command 13 default start-stop group tacacs+
aaa accounting command 14 default start-stop group tacacs+
aaa accounting command 15 default start-stop group tacacs+
!
aaa authorization exec console-in group tacacs+ none
aaa authorization commands 15 console-in group tacacs+ none
aaa authorization commands 14 console-in group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!
tacacs-server host 10.52.176.224

tacacs-server key ************

Someone have an idea ?

Any help will be appreciate

If you need more information, ask me

Sincerely,

Hervé