cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
0
Helpful
10
Replies

Remote router TACACS+ authentication over router to router VPN

ricardo1831
Level 1
Level 1

I currently have a router to router VPN via firewalls configured with VPN passthrough.The VPN is up and working correctly. The primary router is on the same infrastructure as the TACACS server and works just fine. The router at the remote end has the same TACACS and AAA configuration as the primary router but is not authenticating. Is it even possible for TACACS authentication to work over VPN in this way??

Please see my crude diagram of the setup I have.

<Router>--------<ASA>----------<PIX>--------<Router>

           <------------------Tunnel------------------->

Please let me know if anymore information is required to help solve this one. Any replies appreciated.

Thanks,

Ric

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

Try sourcing TACACS from either a loopback or an ethernet interface-

ip tacacs source-interface Loopback0

Hope it helps.

Thanks for the quick reply. Unfortunately I used the ip tacacs source-interface command already with Loopback and even tunnel as the source but still does not work. If I telnet to the the ACS server IP address from the remote router on port 49 I get all the way through no problem. As mentioned the primary router was no problem to get TACACS working but then there is no VPN between that and the ACS...

Good, connectivity is established. What are you running for a AAA server? Can you see anything in the logs? Is the router in the device list?

What are you running for a AAA server? Cisco ACS

Can you see anything in the logs? No

Is the router in the device list? The router has been added to the ACS network configuration.

The routers are configured with Fallback local username and password which is currently used when logging on to the spoke routers. The hub router which is on the same infrastructure as the ACS server TACACS works fine. When I try to extend the TACACS to the spoke device using exactly the same configuration for the it does not work.

The VPN is part of a secure private network which is an alternative to the leased lines which form the bulk of client connections. The outside fastethernet interface on the spoke router is configured to allow only udp; isakmp, 4500, ip; esp and ssh between the peer addresses. The fastethernet is only for establsihing the VPN tunnel and SSH for backup remote connectivity for management purposes. So to manage spoke router we use the tunnel interface ip address which is the same interface that TACACS will be coming in on. Is this even possible??

Appreciate your assistance.

Ric

So have you tried sourcing TACACS from the 'inside' interface? It will not work from the tunnel interface.

So I have gone away and done the following....

The Tunnel interfaces use 172.32.101.0/30 for the point-to-point. I have created a loopback interface with the address 172.32.101.5/30 and added routes from the TACACS+ / management server and can get to the remote router using the loopback. From the remote router I can telnet to the TACACS server on port 49.... still TACACS is not authenticating. I am using the "ip tacacs source-interface Loopback0" but still no joy.

Any other suggestions?

Are you sourcing your telnet from the loopback? If so then it sounds like the problem is on ACS.

Hi Colin, thanks for the quick reply.

The ACS server is in production environment and there are currently many examples of devices sourcing from the loopback interface. The router at the same end of the VPN picked the TACACS+ no problem but the remote end is not. I have just setup another VPN in a similar fashion and again TACACS is not being picked up by the remote device. It's like the TACACS does not want to pass over the VPN and I've not found many examples of people doing the same thing as this.

Hi,

Could you please run the debug on both the routers when trying to authenticate across the vpn tunnel.

deb aaa authen

deb tacacs 255.

Regards,

Anisha

Thanks everyone for your assistance. I found the issue to be with the ACS server and the shared keys. When I added the device to the ACS server I specified at shared key at the device level. It wasn't until I tried using the ACS group sharedd key, where the device is assigned, that I got it working.

Just for info I am using the tunnel interface as the tacacs source-interface which appears to be working fine.

Many Thanks,