07-16-2007 02:54 AM - edited 03-10-2019 03:16 PM
Hi,
Ive just tried putting TACACs onto a 7206 VXR (124-4.XD4) and am getting the following error:%AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
Config is vanilla and has been used on other switches/routers in the network:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec start-stop tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated local
aaa authorization commands 0 default group tacacs+ if-authenticated local
aaa authorization commands 15 default group tacacs+ if-authenticated local
!
tacacs-server key xxx
tacacs-server host x.x.x.x
Ive been unable to find any bugs or info relating to this error on the web. Has anyone else seen this problem?
Cheers.
07-16-2007 11:38 AM
Can you remove
aaa accounting exec start-stop tacacs+
and enter
aaa accounting exec default start-stop group tacacs+
Hope this helps.
Regards
Rohit
07-16-2007 11:59 PM
Hi Rohit,
Thanks for the feedback. Ive removed the command and the issue still appears to be that the router doesnt recognise TACACs although it accepts the commands. When the config is applied it bypasses TACACs for authentication and goes to the enable pwd? The servers reachable via ICMP but showing failed connect attempts along with the AAA-3-BADSERVERTYPEERROR in the log. Ive rolled out the same config across multiple platforms in the network. Its just this box thats sulking.
B2UL-bord1#sh tacac
Tacacs+ Server : 10.2.2.66/49
Socket opens: 33
Socket closes: 33
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 29
Total Packets Sent: 0
Total Packets Recv: 0
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key xxx
Cheers
07-17-2007 02:22 AM
Does your authentication profile on the aaa server match the orgination of the request from the router ? What does your failed attempts log look like on the server ? Is there an ip address from that router ? I would think so since the socket open was sucessful.
Usually you'd specify the originating interface on the router with a global statement (ip tacacs source-interface Loopback0 for an example) which has to match up with an authentication profile for TACACS+ on the server. Its down near the bottom of a typical configuration, right above the banner section
07-17-2007 04:54 AM
enable following debugs
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug tacacs
terminal monitor
then try to authenticate
let us know what you get in debugs
Regards
Rohit
07-18-2007 01:24 AM
Guys, Thanks for the continued input. Debugs attached and I also added the tacacs source interface command. From the debugs it appears that the TACACs server is not responding. The server logs didnt come up with anything although its still reachable via ICMP. Think the problem is possibly with the fact that the router is on a public range and the server is on a private range - NAT/PAT may be hindering the authentication? Worked a treat for everything on the private network. Any other ideas? There is nothing explicitly set up on the TAC_plus server to allow specific ranges.
Cheers.
07-18-2007 06:06 AM
debugs clearly say that server is not reachable.
Do check proxy distribution table in ACS, see if it is set up to forward request to any other server. (if you do not see proxy disctribution table in network config. , enable Distributed system settings from Interface Config.)
If it is setup to forward to some other server, config it to forward to its own name.
Taking sniffer might help to check if the request is reaching ACS or dropping somewhere along the path.
Regards
Rohit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: