Authentication Failure thru TACACS

Unanswered Question
Jun 17th, 2007

Hi,

We are unable to login thru TACACS when we are connected thru serial link but the TACACS authentication happens when we use ISDN. The issue is observed at 2 locations, other locations are working fine and configuration seems to be ok. We have ACS installed on windows as TACACS server. One more thing which is noticable is that when we chack the logs in ACS it shows the part of Banner in the Username field of Failed Authentication.csv file.

Pls. let me know is someone had faced the similar issue and how it was resolved.

Thanking u in anticipation.

Regards,

Navneet

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Did you change the RegEx expression for the prompt from > or # to something else ?

From your configuration I don't see the authorative souce for your devices' AAA messages defined it should be something like "ip tacacs source-interface Loopback0" which will match up with your authentication profile on the tacacs+ server. Does the authentication profile and origination match if the request is made from the serial attempt vs the isdn attempt ?

Manjunatha Jayaram Mon, 06/18/2007 - 06:12

i have already checked by giving "ip tacacs sourse interface loopback0" but enen then the issue was same............

When we request from serial what we gat in profile is part of the Banner...........but when we rty thru ISDN we gat the correct USername and profile.

Rgds

Jagdeep Gambhir Mon, 06/18/2007 - 06:36

Do you have any modem or terminal server connected to this device for out of band management?

In these type of issues the problem is with the modem or term ser. It echo's back exec information from the console. The console interprets these message as login requests. This is extremely common. If that is the case then we need to reconfigure modem or term server, so that it does not echo.

If it's an IOS terminal server, the "no exec" command resolves the issue. If it is a modem, it must be reconfigured so that it no longer echoes.

Hope that helps !

Regards,

Jagdeep

Manjunatha Jayaram Mon, 06/18/2007 - 06:38

i have already gone thru this..........but we don,t have any thing for out of band management.

We only have modem for serial link.

Rgds

Richard Burts Mon, 06/18/2007 - 09:05

Navneet

If authentication works when using ISDN and does not work when using serial, then I would ask that you make another attempt using the serial and then to check the Failed Attempts report and see if it gives some error such as unknown host or invalid key or some other type of error indicator.

If we knew what is causing the failure when using the serial we might be able to suggest a better solution.

HTH

Rick

Manjunatha Jayaram Mon, 06/18/2007 - 23:40

Rick,

we have already tried. And as mentioned above in failed attempts report we gat the "part of banner" in the username.

Navneet

Actions

This Discussion