Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
5
Helpful
4
Replies

aaa config question

witmer.bob
Level 1
Level 1

‎02-06-2008 10:26 AM - edited ‎03-10-2019 03:38 PM

I have configured aaa on two routers. When I telnet into them, one works fine with the ACS server. The other router returns a password prompt (enable secret). Both configs appear to have same aaa code. Is this an aaa issue?

Labels:
0 Helpful
4 Replies 4

syedsohailsarwar
Level 1
Level 1

‎02-06-2008 10:35 AM

Hi

TACACS+ Operation

Three possible activities can be performed during TACACS+ operation. The first operation performed is authentication. This is done to clearly identify the user. The second operation is authorization and is possible only once a user has been identified. Therefore, you must authenticate prior to authorizing. The third operation is accounting. The accounting process keeps track of actions performed. The three processes are each independent of the other.

TACACS+ and Authentication

When authentication is performed in TACACS+, three distinct packet exchanges take place. The three types of packets are

START This packet is used initially when the user attempts to connect.

REPLY Sent by the AAA server during the authentication process.

CONTINUE Used by the AAA client to return username and password to the AAA server

START and CONTINUE packets are always sent by the AAA client, and REPLY packets are always sent by the TACACS+ server

witmer.bob
Level 1
Level 1
In response to syedsohailsarwar

‎02-06-2008 11:12 AM

Thank you! I am seeing the failed attempt on the ACS server. However, since the Uname prompt is never seen on the rtr, it appears the REPLY is not making it from ACS to rtr.

Note: The failed attempt is instantaneous on the ACS server, no lengthy timeout. I can trace route from ACS to rtr without issue. Any thoughts?

0 Helpful

witmer.bob
Level 1
Level 1

‎02-08-2008 05:38 AM

Issue was fixed by extending the aaa client IP address on ACS server.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to witmer.bob

‎02-08-2008 06:21 AM

Other way can be to use ip tacacs source -interface command on the router. So that, router will always use that specific interface to send tacacs packets.

Where interface would be the IP that is mentioned in acs, aaa-clients

It is recommended to use this command on layer 3 devices.

Regards,

~JG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents