cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1214
Views
0
Helpful
9
Replies

Tacacs+ authentication errors

dguse
Level 1
Level 1

I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?

1 Accepted Solution

Accepted Solutions

Ohh, so its SE that is not working.

Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

Regards,

~JG

View solution in original post

9 Replies 9

Jagdeep Gambhir
Level 10
Level 10

This seems to be a key mismatch. Please note that if you have NDG key also configured that can cause key mismatch.

Imp: NDG key overwrites aaa-client key.

Please use the same key for NDG and client or simply remove the NDG key.

Regards,

~JG

Do rate helpful posts

I did match all the keys, but just tried deleting the NDG key and retest and got the same results. Switch comes back with % Backup authentication.

Also note that in the failed attempts report, I can change the keys, so they don't match, and get an Authentication Failed key mismatch entry in the report. When the keys match there is no entry in the failed attempts report and no entry in the passed authentications report. Tacacs+ accounting report shows an entry for the username I am using and shows start acct flag and service shell.

In layer 3 devices, other then normal aaa commands, we also need to define tacacs source interface so that it uses only that interface for sending tacacs request to acs.

AAA-Switch(config)#ip tacacs source-interface (vlan or loopback or gigabit interface)

In above command we need to define the interface that is listed in acs--->network configuration--->Router.

Regards,

~JG

Here is the config I have on the switch. (sorry should have sent this already).

aaa new-model

aaa authentication login default group tacacs+ none

aaa authentication login no_aaa none

aaa authorization exec default group tacacs+ none

aaa authorization exec no_aaa none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization commands 15 no_aaa none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

!

interface VLAN1

ip address 10.200.1.16 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip tacacs source-interface VLAN1

!

tacacs-server host 10.200.35.250

tacacs-server key cisco

!

line con 0

authorization commands 15 no_aaa

authorization exec no_aaa

login authentication no_aaa

transport input none

stopbits 1

line vty 5 15

!

Any other ideas?

As a test, I set up a Windows server and installed ACS 4.1(2) Build 23 on it. Put same config as on SE and it works. I have checked the config on both the Windows and the SE and they are the same from what I can tell.

Please help!!

Do you have dual NIC on acs windows ?

Regards,

~JG

Yes, but I am only using one. We have fully tested Radius and Tacacs+ on the Windows ACS and everything is working perfectly. Can't figure out why the SE's will not.

Ohh, so its SE that is not working.

Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

Regards,

~JG

That did it!!

Thank you!

Darren

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: