06-17-2007 11:57 PM - edited 03-10-2019 03:13 PM
Hi,
We are unable to login thru TACACS when we are connected thru serial link but the TACACS authentication happens when we use ISDN. The issue is observed at 2 locations, other locations are working fine and configuration seems to be ok. We have ACS installed on windows as TACACS server. One more thing which is noticable is that when we chack the logs in ACS it shows the part of Banner in the Username field of Failed Authentication.csv file.
Pls. let me know is someone had faced the similar issue and how it was resolved.
Thanking u in anticipation.
Regards,
Navneet
06-18-2007 03:59 AM
Can you attach the show run from the router
06-18-2007 04:05 AM
06-18-2007 05:07 AM
Did you change the RegEx expression for the prompt from > or # to something else ?
From your configuration I don't see the authorative souce for your devices' AAA messages defined it should be something like "ip tacacs source-interface Loopback0" which will match up with your authentication profile on the tacacs+ server. Does the authentication profile and origination match if the request is made from the serial attempt vs the isdn attempt ?
06-18-2007 06:12 AM
i have already checked by giving "ip tacacs sourse interface loopback0" but enen then the issue was same............
When we request from serial what we gat in profile is part of the Banner...........but when we rty thru ISDN we gat the correct USername and profile.
Rgds
06-18-2007 06:36 AM
Do you have any modem or terminal server connected to this device for out of band management?
In these type of issues the problem is with the modem or term ser. It echo's back exec information from the console. The console interprets these message as login requests. This is extremely common. If that is the case then we need to reconfigure modem or term server, so that it does not echo.
If it's an IOS terminal server, the "no exec" command resolves the issue. If it is a modem, it must be reconfigured so that it no longer echoes.
Hope that helps !
Regards,
Jagdeep
06-18-2007 06:38 AM
i have already gone thru this..........but we don,t have any thing for out of band management.
We only have modem for serial link.
Rgds
06-18-2007 09:05 AM
Navneet
If authentication works when using ISDN and does not work when using serial, then I would ask that you make another attempt using the serial and then to check the Failed Attempts report and see if it gives some error such as unknown host or invalid key or some other type of error indicator.
If we knew what is causing the failure when using the serial we might be able to suggest a better solution.
HTH
Rick
06-18-2007 11:40 PM
Rick,
we have already tried. And as mentioned above in failed attempts report we gat the "part of banner" in the username.
Navneet
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: