cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
551
Views
10
Helpful
18
Replies

C9800 unable to SSH via TACACS on Service Port

stephendrkw
Participant
Participant

Hi all,

I have setup AAA on my new C9800 Anchor WLC replacement for an old WLC 5508. Mobility tunnels are up with other Anchor and Foreign 5508's running IRCM image. Problem I have now for some reason TACACS is not working properly to Manage WLC via out of band Service Port. I would like to use TACACS Mgmt via Service Port like my 5508's.

For some reason I can login to the console port successfully using my TACACS username/password but not SSH (haven't setup http yet as there command to enable tacacs for HTTPS access)

Enter my tacacs username via SSH..........

WLC console logg -  %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:username]

C9800>en
% Error in authentication.

Below are my commands, you can see I had to add ip tacacs route to force via Service Port, inbound and outbound are working through my Firewall Cluster once I added specific route.

I did not add "aaa authorization commands" - log message saying not supported in future XE releases hidden command

aaa new-model
!
aaa group server tacacs+ TAC_EXT
server name TACACS_SVR_AUTH_ACT_ATHR_2
server name TACACS_SVR_AUTH_ACT_ATHR_3
ip vrf forwarding Mgmt-intf
!
aaa authentication login default group TAC_EXT local
aaa authorization network default group TAC_EXT local
!
ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf

ip route vrf Mgmt-intf 10.x.x.x(TACACS.SERVERS) 255.255.255.255 GigabitEthernet0 10.x.x.x (return packets on Firewall Cluster logs for UDP49 from WLC to TACACS Servers started working via SP after I added this route before this route return packets were denied)
!
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
!
tacacs server TACACS_SVR_AUTH_ACT_ATHR_2
address ipv4 10.x.x.x
key 7 *********
timeout 5
tacacs server TACACS_SVR_AUTH_ACT_ATHR_3
address ipv4 10.x.x.x
key 7 *********
timeout 5

1 Accepted Solution
18 Replies 18

stephendrkw
Participant
Participant

line vty 0
exec-timeout 0 0
length 0
transport input ssh
line vty 1 4
length 0
transport input ssh
line vty 5 15
transport input ssh
!

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

   - Review the C9800   configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories!

 M.

Great little tool, thanks. I gather this is the main issue..........

VRF: VRF have been configured, this is not a supported feature in 9800 controllers, and it will lead to severe functionality impact
Action: Disable the feature, use the command 'no vrf definition NAMEOFVRF'
Isn't Mgmt-inf configured by default? Should I remove the vrf-definition?
As you can I see I want mgmt traffic NTP, etc, etc to float via SP Gi0 to avoid Firewall changes, though this can be changed if need be. Plus some Radius/TACACS Servers will need to be amended at the far end IP wise if I went via Mgmt Interface...you can say Mgmt interface is trunked, therefore redundancy..... though I have 2 Anchor WLC's.

#show ip vrf br
Name Default RD Interfaces Mgmt-intf <not set> Gi0

sh run | i vrf
vrf definition Mgmt-intf
ip vrf forwarding Mgmt-intf
ip name-server vrf Mgmt-intf 39.x.x.x 39.x.x.x
ip domain name vrf Mgmt-intf ***************
vrf forwarding Mgmt-intf
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 ****
ip route vrf Mgmt-intf 10.***** 255.255.255.255 ****
ip route vrf Mgmt-intf 10.******* 255.255.255.255 ****
ip route vrf Mgmt-intf 10.******255.255.255.255 ****
ip route vrf Mgmt-intf 10.**** 255.255.255.255 GigabitEthernet0 ****
ip route vrf Mgmt-intf 10.****255.255.255.255 ****
ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf

 

 - If you have defined it somewhere manually (any 'personal' vrf definitions)  then that should probably be removed , for the rest if it is only used as a 'pointer' such as for NTP or routing statements that should do no harm. For all config changes it is best to run WirelessAnalyzer again , until the mentioned warning  does  no longer appear (for instance). Check if you can ping the tacacs authentication server for instance through Mgmt-intf vrf.

 M.

I am thinking this might be the issue also.....but I seem to be running 17.6.x

Note:     As of release 17.6, the following protocols are supported through the Service Port (SP): HTTP/HTTPs, SSH, NetFlow, NTP, SNMP, Syslog, RADIUS, and TACACS+.

sh ver
Cisco IOS XE Software, Version 17.06.03
Cisco IOS Software [Bengaluru], C9800 Software (C9800_IOSXE-K9), Version 17.6.3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 30-Mar-22 23:12 by mcpre

 

 

                   - FYIhttps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt60584

 M.

Thanks added to "ip tacacs source-interface GigabitEthernet0" to "aaa group server tacacs+ TAC_EXT" ..........though no difference

Rich R
VIP Advocate VIP Advocate
VIP Advocate

If you see below tty3 I'm pretty sure from memory this is when the request is sent off the TACACS Server and "default to eanble password" means the TACACS Server is down? 

Oct 3 09:13:40.766: %SYS-6-LOGOUT: User user1 has exited tty session 3(10.***)
Oct 3 09:13:42.999: AAA/BIND(000026B0): Bind i/f
Oct 3 09:13:43.000: AAA/AUTHEN/LOGIN (000026B0): Pick method list 'default'
Oct 3 09:13:43.763: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user1] [Source: 10.****] [localport: 22] at 09:13:43 GMT Mon Oct 3 2022
Oct 3 09:13:43.784: AAA/AUTHOR (000026B0): Method list id=0 not configured. Skip author
Oct 3 09:13:46.350: AAA/AUTHOR: auth_need : user= 'user1' ruser= 'ukgrelg-192-wcon-sp'rem_addr= '10.***' priv= 0 list= '' AUTHOR-TYPE= 'commands'
Oct 3 09:13:46.351: AAA: parse name=tty3 idb type=-1 tty=-1
Oct 3 09:13:46.351: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
Oct 3 09:13:46.351: AAA/MEMORY: create_user (0x7F1D0DE7D8B8) user='user1' ruser='NULL' ds0=0 port='tty3' rem_addr='10.****' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) key=1E4AA6A6
Oct 3 09:13:46.351: AAA/AUTHEN/START (3727276776): port='tty3' list='' action=LOGIN service=ENABLE
Oct 3 09:13:46.351: AAA/AUTHEN/START (3727276776): non-console enable - default to enable password
Oct 3 09:13:46.351: AAA/AUTHEN/START (3727276776): Method=ENABLE
Oct 3 09:13:46.351: AAA/AUTHEN(3727276776): can't find any passwords
Oct 3 09:13:46.351: AAA/AUTHEN (3727276776): status = ERROR
Oct 3 09:13:46.351: AAA/AUTHEN/START (3727276776): no methods left to try
Oct 3 09:13:46.351: AAA/AUTHEN (3727276776): status = ERROR
Oct 3 09:13:46.351: AAA/AUTHEN/START (3727276776): failed to authenticate
Oct 3 09:13:46.351: AAA/MEMORY: free_user (0x7F1D0DE7D8B8) user='user1' ruser='NULL' port='tty3' rem_addr='10.***' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)