aaa config question

Unanswered Question
Feb 6th, 2008
User Badges:

I have configured aaa on two routers. When I telnet into them, one works fine with the ACS server. The other router returns a password prompt (enable secret). Both configs appear to have same aaa code. Is this an aaa issue?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
syedsohailsarwar Wed, 02/06/2008 - 10:35
User Badges:

Hi


TACACS+ Operation

Three possible activities can be performed during TACACS+ operation. The first operation performed is authentication. This is done to clearly identify the user. The second operation is authorization and is possible only once a user has been identified. Therefore, you must authenticate prior to authorizing. The third operation is accounting. The accounting process keeps track of actions performed. The three processes are each independent of the other.


TACACS+ and Authentication

When authentication is performed in TACACS+, three distinct packet exchanges take place. The three types of packets are


START This packet is used initially when the user attempts to connect.


REPLY Sent by the AAA server during the authentication process.


CONTINUE Used by the AAA client to return username and password to the AAA server


START and CONTINUE packets are always sent by the AAA client, and REPLY packets are always sent by the TACACS+ server


witmer.bob Wed, 02/06/2008 - 11:12
User Badges:

Thank you! I am seeing the failed attempt on the ACS server. However, since the Uname prompt is never seen on the rtr, it appears the REPLY is not making it from ACS to rtr.

Note: The failed attempt is instantaneous on the ACS server, no lengthy timeout. I can trace route from ACS to rtr without issue. Any thoughts?

witmer.bob Fri, 02/08/2008 - 05:38
User Badges:

Issue was fixed by extending the aaa client IP address on ACS server.

Jagdeep Gambhir Fri, 02/08/2008 - 06:21
User Badges:
  • Red, 2250 points or more

Other way can be to use ip tacacs source -interface command on the router. So that, router will always use that specific interface to send tacacs packets.


Where interface would be the IP that is mentioned in acs, aaa-clients


It is recommended to use this command on layer 3 devices.



Regards,

~JG




Actions

This Discussion