Tacacs+ authentication errors

Answered Question
May 9th, 2008

I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 8 years 8 months ago

Ohh, so its SE that is not working.

Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Fri, 05/09/2008 - 06:36

This seems to be a key mismatch. Please note that if you have NDG key also configured that can cause key mismatch.

Imp: NDG key overwrites aaa-client key.

Please use the same key for NDG and client or simply remove the NDG key.

Regards,

~JG

Do rate helpful posts

dguse Fri, 05/09/2008 - 07:31

I did match all the keys, but just tried deleting the NDG key and retest and got the same results. Switch comes back with % Backup authentication.

Also note that in the failed attempts report, I can change the keys, so they don't match, and get an Authentication Failed key mismatch entry in the report. When the keys match there is no entry in the failed attempts report and no entry in the passed authentications report. Tacacs+ accounting report shows an entry for the username I am using and shows start acct flag and service shell.

Jagdeep Gambhir Fri, 05/09/2008 - 07:48

In layer 3 devices, other then normal aaa commands, we also need to define tacacs source interface so that it uses only that interface for sending tacacs request to acs.

AAA-Switch(config)#ip tacacs source-interface (vlan or loopback or gigabit interface)

In above command we need to define the interface that is listed in acs--->network configuration--->Router.

Regards,

~JG

dguse Fri, 05/09/2008 - 08:19

Here is the config I have on the switch. (sorry should have sent this already).

aaa new-model

aaa authentication login default group tacacs+ none

aaa authentication login no_aaa none

aaa authorization exec default group tacacs+ none

aaa authorization exec no_aaa none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization commands 15 no_aaa none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

!

interface VLAN1

ip address 10.200.1.16 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip tacacs source-interface VLAN1

!

tacacs-server host 10.200.35.250

tacacs-server key cisco

!

line con 0

authorization commands 15 no_aaa

authorization exec no_aaa

login authentication no_aaa

transport input none

stopbits 1

line vty 5 15

!

dguse Thu, 05/15/2008 - 05:49

Any other ideas?

As a test, I set up a Windows server and installed ACS 4.1(2) Build 23 on it. Put same config as on SE and it works. I have checked the config on both the Windows and the SE and they are the same from what I can tell.

Please help!!

dguse Fri, 05/16/2008 - 03:33

Yes, but I am only using one. We have fully tested Radius and Tacacs+ on the Windows ACS and everything is working perfectly. Can't figure out why the SE's will not.

Correct Answer
Jagdeep Gambhir Sat, 05/17/2008 - 04:54

Ohh, so its SE that is not working.

Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

Regards,

~JG

Actions

This Discussion