cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
0
Helpful
8
Replies

Authentication Failure thru TACACS

Hi,

We are unable to login thru TACACS when we are connected thru serial link but the TACACS authentication happens when we use ISDN. The issue is observed at 2 locations, other locations are working fine and configuration seems to be ok. We have ACS installed on windows as TACACS server. One more thing which is noticable is that when we chack the logs in ACS it shows the part of Banner in the Username field of Failed Authentication.csv file.

Pls. let me know is someone had faced the similar issue and how it was resolved.

Thanking u in anticipation.

Regards,

Navneet

8 Replies 8

somishra
Cisco Employee
Cisco Employee

Can you attach the show run from the router

pls. find the "sh ver" and " sh run " attached.

Did you change the RegEx expression for the prompt from > or # to something else ?

From your configuration I don't see the authorative souce for your devices' AAA messages defined it should be something like "ip tacacs source-interface Loopback0" which will match up with your authentication profile on the tacacs+ server. Does the authentication profile and origination match if the request is made from the serial attempt vs the isdn attempt ?

i have already checked by giving "ip tacacs sourse interface loopback0" but enen then the issue was same............

When we request from serial what we gat in profile is part of the Banner...........but when we rty thru ISDN we gat the correct USername and profile.

Rgds

Do you have any modem or terminal server connected to this device for out of band management?

In these type of issues the problem is with the modem or term ser. It echo's back exec information from the console. The console interprets these message as login requests. This is extremely common. If that is the case then we need to reconfigure modem or term server, so that it does not echo.

If it's an IOS terminal server, the "no exec" command resolves the issue. If it is a modem, it must be reconfigured so that it no longer echoes.

Hope that helps !

Regards,

Jagdeep

i have already gone thru this..........but we don,t have any thing for out of band management.

We only have modem for serial link.

Rgds

Navneet

If authentication works when using ISDN and does not work when using serial, then I would ask that you make another attempt using the serial and then to check the Failed Attempts report and see if it gives some error such as unknown host or invalid key or some other type of error indicator.

If we knew what is causing the failure when using the serial we might be able to suggest a better solution.

HTH

Rick

HTH

Rick

Rick,

we have already tried. And as mentioned above in failed attempts report we gat the "part of banner" in the username.

Navneet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: