01-19-2015 08:10 PM
Hi Everyone,
I have a Cisco router connected behind my firewall and the TACACS server on the other side of firewall.
My LAN system is in a different zone behind firewall only.
Now, Issue here is that both my cisco Routers are accepting TACACS authentication and work fine.
However, if I Disable the policy in my firewall for TACACS port 49 of communication between router and Tacacs server, My local authentication does not work further.
Any Suggestions if my configuration is wrong? I am giving a brief of my config.
Also, I need to know in what scenario TACACS fails?
a) TACACS Server is reachable but not able to authenticate?
b) TACACS server should neither be reachable nor should be able to authenticate? If this answer is Yes, I will have to shutdown my server which is not possible.
Config as:-
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local line
aaa authentication enable default enable
aaa authorization exec default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
tacacs-server host "IP Address"
tacacs-server key 7 ********
line con 0
password 7 ********
line aux 0
line vty 0 4
access-class ** in
privilege level 15
transport input ssh
line vty 5 15
access-class ** in
privilege level 15
transport input ssh
01-20-2015 10:59 PM
Hi,
Do you have a local user defined on the router?
01-21-2015 12:04 AM
Yes, I have defined a local user.
01-22-2015 11:22 AM
When the tacacs server has a connection with the device, the tacacs server is considered up the the router will try to authenticate against the tac server.
here is the tricky part, in some IOS releases the response state returned from the TACACS socket may or may not constitute a failover to the next method list.
You will see:
1) only if the tacacs connection fails failover to the next method list is induced (mostly common)
2) when the tacacs server is reachable and the username provided is not found in the tacacs server dbase, a reject will be sent, but this reject will allow for a failover to the next method list.
2-> is not very common and it also heavily depends on:
a) the IOS release in use whether it takes that response reason from tacacs to induce method list failover
b) the reply message the tacacs server gives back on a password failure vs user not found.
you can follow with debug aaa authen/author and debug tacacs <cr>/ev/authen what happens in the sequence.
You may have an open socket still on tacacs on the router it thinking the connection is there, causing it not to failover.
Possible to close the tcb manually:
NPE-G1#show tcp br
TCB Local Address Foreign Address (state)
67D6CD44 3.0.0.102.49553 3.0.0.38.49 ESTAB
NPE-G1#clear tcp tcb 67D6CD44
[confirm]
[OK]
NPE-G1#
failover issue you mentioned particularly seen when you use single connection and tcb drops.
regards!
xander
--
Xander Thuijs CCIE#6775
Cisco Systems, Principal Engineer IOS/XR ASR9000
01-27-2015 03:56 AM
Hi Xander-
I have tried the first option by removing my id from TACACS Server and then trying to login to router but in this case it was again and again stating me authentication failed.
If suppose, I enter an ACL on my router stating block any traffic towards TACACS server, Will this simulate an ideal scenario for testing TACACS failover?
01-27-2015 04:00 AM
yeah so you have a version that as long as the tacacs server responds (even with a user reject) it wont fail over.
an ACL blocking tcp/49 may work. May because some platforms inject locally originated traffic directly onto the forwarding (eg a9k), but if you have a sw forwarding platform, the acl should block the tacacs server.
you could also for instance reconfigure your tacacs server to use a different port or rogue address, that will fail definitely too and you can test that failover.
cheers
xander
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide