Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2754
Views
0
Helpful
5
Replies

TACACS+ Login not failing to local authentication

vikrant.kathawate1
Level 1
Level 1

‎01-19-2015 08:10 PM

Hi Everyone,

I have a Cisco router connected behind my firewall and the TACACS server on the other side of firewall.
My LAN system is in a different zone behind firewall only.

Now, Issue here is that both my cisco Routers are accepting TACACS authentication and work fine.

However, if I Disable the policy in my firewall for TACACS port 49 of communication between router and Tacacs server, My local authentication does not work further.

Any Suggestions if my configuration is wrong? I am giving a brief of my config.

Also, I need to know in what scenario TACACS fails?
a) TACACS Server is reachable but not able to authenticate?
b) TACACS server should neither be reachable nor should be able to authenticate? If this answer is Yes, I will have to shutdown my server which is not possible.
Config as:-

aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local line
aaa authentication enable default enable
aaa authorization exec default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+

tacacs-server host "IP Address"
tacacs-server key 7 ********

line con 0
 password 7 ********
line aux 0
line vty 0 4
 access-class ** in
 privilege level 15
 transport input ssh
line vty 5 15
 access-class ** in
 privilege level 15
 transport input ssh

 

 

 

Labels:
0 Helpful
5 Replies 5

johnd2310
Level 8
Level 8

‎01-20-2015 10:59 PM

Hi,

 

Do you have a local user defined on the router?

**Please rate posts you find helpful**
0 Helpful

vikrant.kathawate1
Level 1
Level 1
In response to johnd2310

‎01-21-2015 12:04 AM

Yes, I have defined a local user.

0 Helpful

xthuijs
Cisco Employee
Cisco Employee
In response to vikrant.kathawate1

‎01-22-2015 11:22 AM

When the tacacs server has a connection with the device, the tacacs server is considered up the the router will try to authenticate against the tac server.

here is the tricky part, in some IOS releases the response state returned from the TACACS socket may or may not constitute a failover to the next method list.

You will see:

1) only if the tacacs connection fails failover to the next method list is induced (mostly common)

2) when the tacacs server is reachable and the username provided is not found in the tacacs server dbase, a reject will be sent, but this reject will allow for a failover to the next method list.

2-> is not very common and it also heavily depends on:

a) the IOS release in use whether it takes that response reason from tacacs to induce method list failover

b) the reply message the tacacs server gives back on a password failure vs user not found.

you can follow with debug aaa authen/author and debug tacacs <cr>/ev/authen what happens in the sequence.

You may have an open socket still on tacacs on the router it thinking the connection is there, causing it not to failover.

Possible to close the tcb manually:

NPE-G1#show tcp br
TCB       Local Address               Foreign Address             (state)
67D6CD44  3.0.0.102.49553             3.0.0.38.49                 ESTAB

NPE-G1#clear tcp tcb 67D6CD44
[confirm]
 [OK]
NPE-G1#

failover issue you mentioned particularly seen when you use single connection and tcb drops.

regards!

xander

 

--

Xander Thuijs CCIE#6775

Cisco Systems, Principal Engineer IOS/XR ASR9000

 

0 Helpful

vikrant.kathawate1
Level 1
Level 1
In response to xthuijs

‎01-27-2015 03:56 AM

Hi Xander-

I have tried the first option by removing my id from TACACS Server and then trying to login to router but in this case it was again and again stating me authentication failed.

If suppose, I enter an ACL on my router stating block any traffic towards TACACS server, Will this simulate an ideal scenario for testing TACACS failover?

0 Helpful

xthuijs
Cisco Employee
Cisco Employee
In response to vikrant.kathawate1

‎01-27-2015 04:00 AM

yeah so you have a version that as long as the tacacs server responds (even with a user reject) it wont fail over.

an ACL blocking tcp/49 may work. May because some platforms inject locally originated traffic directly onto the forwarding (eg a9k), but if you have a sw forwarding platform, the acl should block the tacacs server.

you could also for instance reconfigure your tacacs server to use a different port or rogue address, that will fail definitely too and you can test that failover.

cheers

xander

0 Helpful
Customers Also Viewed These Support Documents