Re: TACACS Authentication error:- Getting error "% Destination unreachable; gateway or host down" wh...

prabhatei7 · ‎09-28-2020

Hi There,

Thank you for your time. Hope you all are safe & secure in this pandemic

I need you help in my tacacs+ authentication.

I have got two TACACS+ servers (RHEL) and both are running successfully. Both are in different domains. For one domain my switches are getting authenticated successfully but for the other domain its failing.

Below is the output from my switch:-

net001#sh run | sec tac
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
description tacacs-test-switch
ip tacacs source-interface GigabitEthernet1/0/7
tacacs-server host 10.252.37.10
tacacs-server directed-request
tacacs-server key 7 0728004545514A1356

pninet001#telnet 10.252.37.10 49
Trying 10.252.37.10, 49 ...
% Destination unreachable; gateway or host down

net001#ping 10.252.37.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.252.37.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/120/126 ms
net001#

I have configured same configuration on all of my switches and same RPM packages on both of my tacacs+ server.

I have checked my TACACS+ server and its listening on port 49 and the tacacs service is also running fine. But still I'm not able to identify that when the same configuration is running on both the servers then why its failing.

Any help would be appreciated.

Mohammed al Baqari · ‎09-29-2020

Hi,

Trying telnet using source interface 'telnet xxxx xx /source g1/0/7'

Also, make sure that RHEL iptables firewall is allowing incoming tacacs
connections.

**** please remember to rate useful posts

prabhatei7 · ‎09-29-2020

Hello Mohammed,

Thank you for your response. I have checked and tried with source interface also but still its not working.

I have even checked my tacacs+ server configuration with another working tacacs+ server and both configurations are same and both are listening on port 49.

For one domain I have configured my switch with same tacacs+ configuration as the one which is working in other domain but still isn't responding.

I have attached one file for further clarification.

Mohammed al Baqari · ‎09-29-2020

on your rhel run tcpdump 'tcpdump -nvv host x.x.x.x' , x.x.x.x should be
your switch IP. This is useful to see if tacacs packets are coming to your
system.

**** please remember to rate useful posts

DiyarMuhammed96181 · ‎06-30-2021

Hi Mohammed,

I have issue when I use Mgmt interface. FYI, I do not see firewall logs for Tacacs. The switch configuration as shown below:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

ip tacacs source-interface GigabitEthernet0/0
ip tacacs source-interface GigabitEthernet0/0 vrf Mgmt-vrf
tacacs server Clearpass
address ipv4 x.x.x.x
key

The same configuration I used with SVI interface without select vrf mgmt-vrf. it is working fine.

Please advice..!

FYI, the configuration above I have applied to Cisco SW C9300 series (OS: 17.03.03).

Thanks,

Diyar

TACACS+ Authentication error:- Getting error "% Destination unreachable; gateway or host down" when trying to telnet the tacacs+ server on port 49