04-16-2007 10:43 PM - edited 03-10-2019 03:06 PM
I'm busy upgrading our network at the moment and we're replacing the archaic switches with new 3750s. At one of the sites, the new switch didn't boot up, so I configured a 2950 as a temporary solution. My problems is with TACACS authentication. I'm using TACACS as the first method of authentication, with local database as backup. But TACACS authentication isn't happening. It just skips straight past method 1 to local authentication. The TACACS servers are up and running as other devices are authenticating correctly and this 2950 can ping the servers in question. The key is entered correctly as well. Any suggestions?
Solved! Go to Solution.
04-17-2007 03:35 AM
And the output of "debug tacacs"?
My output looks like this:
Apr 17 11:30:27: TAC+: send AUTHEN/START packet ver=192 id=3801177964
Apr 17 11:30:27: TAC+: Using default tacacs server-group "tacacs+" list.
Apr 17 11:30:27: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5
Apr 17 11:30:27: TAC+: Opened TCP/IP handle 0x80EC2700 to 10.10.10.24/49
Apr 17 11:30:27: TAC+: 10.10.10.24 (3801177964) AUTHEN/START/LOGIN/ASCII queued
Apr 17 11:30:28: TAC+: (3801177964) AUTHEN/START/LOGIN/ASCII processed
Apr 17 11:30:28: TAC+: ver=192 id=3801177964 received AUTHEN status = GETPASS
Apr 17 11:30:31: TAC+: send AUTHEN/CONT packet id=3801177964
Apr 17 11:30:31: TAC+: 10.10.10.24 (3801177964) AUTHEN/CONT queued
Apr 17 11:30:31: TAC+: (3801177964) AUTHEN/CONT processed
Apr 17 11:30:31: TAC+: ver=192 id=3801177964 received AUTHEN status = PASS
Apr 17 11:30:31: TAC+: Closing TCP/IP 0x80EC2700 connection to 10.10.10.24/49
Apr 17 11:30:31: TAC+: using previously set server 10.10.10.24 from group tacacs+
Apr 17 11:30:31: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5
Apr 17 11:30:31: TAC+: Opened TCP/IP handle 0x80ED50DC to 10.10.10.24/49
Apr 17 11:30:31: TAC+: Opened 10.10.10.24 index=1
Apr 17 11:30:31: TAC+: 10.10.10.24 (3808800626) AUTHOR/START queued
Apr 17 11:30:32: TAC+: (3808800626) AUTHOR/START processed
Apr 17 11:30:32: TAC+: (3808800626): received author response status = PASS_ADD
Apr 17 11:30:32: TAC+: Closing TCP/IP 0x80ED50DC connection to 10.10.10.24/49
Apr 17 11:30:32: TAC+: Received Attribute "priv-lvl=15"
Apr 17 11:30:32: TAC+: using previously set server 10.10.10.24 from group tacacs+
Apr 17 11:30:32: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5
Apr 17 11:30:32: TAC+: Opened TCP/IP handle 0x80EC2B94 to 10.10.10.24/49
Apr 17 11:30:32: TAC+: Opened 10.10.10.24 index=1
Apr 17 11:30:32: TAC+: 10.10.10.24 (422749886) ACCT/REQUEST/START queued
Apr 17 11:30:32: TAC+: (422749886) ACCT/REQUEST/START processed
Apr 17 11:30:32: TAC+: (422749886): received acct response status = SUCCESS
Apr 17 11:30:32: TAC+: Closing TCP/IP 0x80EC2B94 connection to 10.10.10.24/49
What TACACS+ server are you using?
04-17-2007 12:08 AM
The TACACS+ configuration for the Catalyst 3750 and 2950 should be identical.
What does your AAA configuration on the 2950 look like?
It should look something like this:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host 10.10.10.24
tacacs-server key 7 0329483905743665657
What does the output of "debug aaa authentication" look like?
For a successful TACACS+ login I get the following:
Apr 17 08:06:07: AAA/AUTHEN/START (1370004964): port='tty2' list='' action=LOGIN service=LOGIN
Apr 17 08:06:07: AAA/AUTHEN/START (1370004964): Restart
Apr 17 08:06:07: AAA/AUTHEN/START (1370004964): Method=tacacs+ (tacacs+)
Apr 17 08:06:07: TAC+: send AUTHEN/START packet ver=192 id=1370004964
Apr 17 08:06:07: TAC+: ver=192 id=1370004964 received AUTHEN status = GETPASS
Apr 17 08:06:07: AAA/AUTHEN (1370004964): status = GETPASS
Apr 17 08:06:20: AAA/AUTHEN/CONT (1370004964): continue_login (user='craig')
Apr 17 08:06:20: AAA/AUTHEN (1370004964): status = GETPASS
Apr 17 08:06:20: AAA/AUTHEN (1370004964): Method=tacacs+ (tacacs+)
Apr 17 08:06:20: TAC+: send AUTHEN/CONT packet id=1370004964
Apr 17 08:06:21: TAC+: ver=192 id=1370004964 received AUTHEN status = PASS
Apr 17 08:06:21: AAA/AUTHEN (1370004964): status = PASS
Apr 17 08:06:21: TAC+: (2581335929): received author response status = PASS_ADD
04-17-2007 01:14 AM
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local
aaa accounting suppress null-username
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
tacacs-server key correctkey
tacacs-server host 10.0.0.0
The correct IPs have been ommited, but are correct in the configs and the switch can ping all four of the servers. I'm not on site at the moment, but when I Telnet into the device and use the debug command, it gives me no output whatsoever. It's as if it just skips the TACACS+ authentication completely.
04-17-2007 01:47 AM
To get the switch debugging output via telnet you probably need to do the following:
conf t
logging console
end
debug aaa authentication
terminal mon
You should see aaa authentication debugging as long as you are using "aaa new-model" - even if you are using local and not TACACS+.
04-17-2007 01:54 AM
Thanks. That worked! This is what I get when entering enable mode.
Apr 17 11:52:27: AAA/MEMORY: dup_user (0x80CD1528) user='root' ruser='' port='tt
y1' rem_addr='10.247.81.22' authen_type=ASCII service=ENABLE priv=15 source='AAA
dup enable'
Apr 17 11:52:27: AAA/AUTHEN/START (3171050843): port='tty1' list='' action=LOGIN
service=ENABLE
Apr 17 11:52:27: AAA/AUTHEN/START (3171050843): using "default" list
Apr 17 11:52:27: AAA/AUTHEN/START (3171050843): Method=tacacs+ (tacacs+)
Apr 17 11:52:27: TAC+: send AUTHEN/START packet ver=192 id=3171050843
Apr 17 11:52:28: AAA/AUTHEN (3171050843): status = ERROR
Apr 17 11:52:28: AAA/AUTHEN/START (3171050843): Method=ENABLE
Apr 17 11:52:28: AAA/AUTHEN (3171050843): status = GETPASS
04-17-2007 03:35 AM
And the output of "debug tacacs"?
My output looks like this:
Apr 17 11:30:27: TAC+: send AUTHEN/START packet ver=192 id=3801177964
Apr 17 11:30:27: TAC+: Using default tacacs server-group "tacacs+" list.
Apr 17 11:30:27: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5
Apr 17 11:30:27: TAC+: Opened TCP/IP handle 0x80EC2700 to 10.10.10.24/49
Apr 17 11:30:27: TAC+: 10.10.10.24 (3801177964) AUTHEN/START/LOGIN/ASCII queued
Apr 17 11:30:28: TAC+: (3801177964) AUTHEN/START/LOGIN/ASCII processed
Apr 17 11:30:28: TAC+: ver=192 id=3801177964 received AUTHEN status = GETPASS
Apr 17 11:30:31: TAC+: send AUTHEN/CONT packet id=3801177964
Apr 17 11:30:31: TAC+: 10.10.10.24 (3801177964) AUTHEN/CONT queued
Apr 17 11:30:31: TAC+: (3801177964) AUTHEN/CONT processed
Apr 17 11:30:31: TAC+: ver=192 id=3801177964 received AUTHEN status = PASS
Apr 17 11:30:31: TAC+: Closing TCP/IP 0x80EC2700 connection to 10.10.10.24/49
Apr 17 11:30:31: TAC+: using previously set server 10.10.10.24 from group tacacs+
Apr 17 11:30:31: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5
Apr 17 11:30:31: TAC+: Opened TCP/IP handle 0x80ED50DC to 10.10.10.24/49
Apr 17 11:30:31: TAC+: Opened 10.10.10.24 index=1
Apr 17 11:30:31: TAC+: 10.10.10.24 (3808800626) AUTHOR/START queued
Apr 17 11:30:32: TAC+: (3808800626) AUTHOR/START processed
Apr 17 11:30:32: TAC+: (3808800626): received author response status = PASS_ADD
Apr 17 11:30:32: TAC+: Closing TCP/IP 0x80ED50DC connection to 10.10.10.24/49
Apr 17 11:30:32: TAC+: Received Attribute "priv-lvl=15"
Apr 17 11:30:32: TAC+: using previously set server 10.10.10.24 from group tacacs+
Apr 17 11:30:32: TAC+: Opening TCP/IP to 10.10.10.24/49 timeout=5
Apr 17 11:30:32: TAC+: Opened TCP/IP handle 0x80EC2B94 to 10.10.10.24/49
Apr 17 11:30:32: TAC+: Opened 10.10.10.24 index=1
Apr 17 11:30:32: TAC+: 10.10.10.24 (422749886) ACCT/REQUEST/START queued
Apr 17 11:30:32: TAC+: (422749886) ACCT/REQUEST/START processed
Apr 17 11:30:32: TAC+: (422749886): received acct response status = SUCCESS
Apr 17 11:30:32: TAC+: Closing TCP/IP 0x80EC2B94 connection to 10.10.10.24/49
What TACACS+ server are you using?
04-17-2007 03:58 AM
The encrypted key I was using isn't the same for both switch models. I can only assume that the encryption algorithm used on the 3750 differs to that of the 2950. When i typed in the unencrypted password, TACACS+ authentication kicked in immediately! Thanks for the advice!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide