Help on ACS

Answered Question
Jun 10th, 2008
User Badges:

Hi,


I have fresh installed ACS 4.1 and having trouble integrating with the following for authentication.



<1> Cisco 4500 Router

<2> Cisco AiroNet-Access-Point


All admin for Router 4500 should be authenticatd via ACS Server and incase ACS Server is down then they should be authenticated via local DATABASE...


All passed or failed attempt should be logged on ACS ; all changes done on the devices ( change config / reboot ) should be logged on ACS as well.....


Can I get a link where it shows the config part on router and on ACS.....

Correct Answer by Richard Burts about 9 years 2 weeks ago

Amin


Does it matter to you which interface is used for TACACS? If so then configure that interface as the source.


When you configured the ACS server you told it to expect packets to be from the address in VLAN 1. If you do not want to change the ACS configuration then configure VLAN 1 as the source address for TACACS.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Wed, 06/11/2008 - 04:52
User Badges:
  • Red, 2250 points or more

Here are some useful links,


Command authorization on acs

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


On router use these commands,


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


Use authorization commmands only if you set up command authorization.


Http authentication on AP

http://cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml


Eap authentication with radius,

http://cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml



Regards,

~JG


Do rate helpful posts

Amin Shaikh Wed, 06/11/2008 - 06:04
User Badges:

Thanks for your input.


What command is required on TTY and console.


wht config is required on ACS to log the change activity done on routers ???


before command authorization I would like to check/test only authentication on Routers using ACS...so should I use the following or additional commands are required.....



aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

username ABC priv 15 password 0000

tacacs-server host 192.168.1.100

tacacs-server directed-request

tacacs-server key password

!

line con 0

exec-timeout 0 0

password 7 0316425


line vty 0 4

exec-timeout 0 0

password 7 0707305




Jagdeep Gambhir Wed, 06/11/2008 - 06:19
User Badges:
  • Red, 2250 points or more

If you want to record changes made by user, you need to set up command accounting. Nothing is required on acs


aaa accounting command 1 default group tacacs

aaa accounting command 15 default group tacacs


You will find command accounting logs in tacacs administration logs in reports and activity.



Regards,

~JG


Do rate helpful posts

Amin Shaikh Wed, 06/11/2008 - 08:32
User Badges:

I hve done the following ; but i dont get authenticated via ACS on Catalyst 4500...


I checked the logs for failed attempts but no entries there... I am able to ping the switch from ACS and vice-versa...


=============

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

username ABC priv 15 password 0000

tacacs-server host 192.168.1.100

tacacs-server directed-request

tacacs-server key password

!

line con 0

exec-timeout 0 0

password xxx


line vty 0 4

exec-timeout 0 0

password xxx


=============================


Any clue???

Richard Burts Wed, 06/11/2008 - 13:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


My first guess would be that the source address used by the 4500 does not match the address configured in ACS for that device. In that case I would expect to find in the failed attempts some records indicating unknown NAS.


My second guess would be an issue with configuring the shared key between ACS and the 4500.


Probably the most effective way to find this problem would be to run some debugs on the 4500. Would you post the output from debug aaa authentication and from debug tacacs authentication.


HTH


Rick

Amin Shaikh Thu, 06/12/2008 - 02:47
User Badges:

thanks

the key is correct


The debug output TACS is :-

======

3w1d: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 172.20.58.5(3457) -> 0.0.0.0(2

3), 1 packet

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E08FCC to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E07F24 Qd id=2386328461 ver=192 handle=0x42E08FCC

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=2386328461 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E07F24 Qd id=2386328461 ver=192 handle=0x42E08FCC

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E07F24 Tx id=2386328461 ver=192 handle=0x42E08FCC (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E08FCC connection to 192.168.2.55/49

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E0916C to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E073E4 Qd id=4289040243 ver=192 handle=0x42E0916C

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=4289040243 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E073E4 Qd id=4289040243 ver=192 handle=0x42E0916C

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E073E4 Tx id=4289040243 ver=192 handle=0x42E0916C (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E0916C connection to 192.168.2.55/49

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E0916C to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E0749C Qd id=3454695364 ver=192 handle=0x42E0916C

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=3454695364 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E0749C Qd id=3454695364 ver=192 handle=0x42E0916C

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E0749C Tx id=3454695364 ver=192 handle=0x42E0916C (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E0916C connection to 192.168.2.55/49

=========



Amin Shaikh Thu, 06/12/2008 - 03:04
User Badges:

<>


3w1d: AAA/AUTHEN/CONT (2136902324): continue_login (user='neo')

3w1d: AAA/AUTHEN (2136902324): status = GETPASS

3w1d: AAA/AUTHEN/CONT (2136902324): Method=LOCAL

3w1d: AAA/AUTHEN (2136902324): User not found

3w1d: AAA/AUTHEN (2136902324): status = FAIL

3w1d: AAA/AUTHEN/ABORT: (2136902324) because Unknown.

3w1d: AAA/MEMORY: free_user_quiet (0x42E06218) user='neo' ruser='NULL' port='tt

y2' rem_addr='172.20.58.5' authen_type=1 service=1 priv=1

3w1d: AAA: parse name=tty2 idb type=-1 tty=-1

3w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

3w1d: AAA/MEMORY: create_user (0x42E04C24) user='NULL' ruser='NULL' ds0=0 port='

tty2' rem_addr='172.20.58.5' authen_type=ASCII service=LOGIN priv=1 initial_task

_id='0'

3w1d: AAA/AUTHEN/START (1863895592): port='tty2' list='' action=LOGIN service=LO

GIN

3w1d: AAA/AUTHEN/START (1863895592): using "default" list

3w1d: AAA/AUTHEN/START (1863895592): Method=tacacs+ (tacacs+)

3w1d: TAC+: send AUTHEN/START packet ver=192 id=1863895592

3w1d: TAC+: Opening TCP/IP to 192.168.2.55/49 timeout=5

3w1d: TAC+: Opened TCP/IP handle 0x42E06414 to 192.168.2.55/49

3w1d: TAC+: periodic timer started

3w1d: TAC+: 192.168.2.55 req=42E03D7C Qd id=1863895592 ver=192 handle=0x42E06414

(ESTAB) expire=5 AUTHEN/START/LOGIN/ASCII queued

3w1d: TAC+: 192.168.2.55 CLOSEWAIT id=1863895592 wrote 35 of 35 bytes

3w1d: TAC+: 192.168.2.55 req=42E03D7C Qd id=1863895592 ver=192 handle=0x42E06414

(CLOSEWAIT) expire=4 AUTHEN/START/LOGIN/ASCII sent

3w1d: TAC+: 192.168.2.55 read END-OF-FILE

3w1d: TAC+: req=42E03D7C Tx id=1863895592 ver=192 handle=0x42E06414 (CLOSEWAIT)

expire=4 AUTHEN/START/LOGIN/ASCII processed

3w1d: TAC+: periodic timer stopped (queue empty)

3w1d: TAC+: Closing TCP/IP 0x42E06414 connection to 192.168.2.55/49

3w1d: AAA/AUTHEN (1863895592): status = ERROR

3w1d: AAA/AUTHEN/START (1863895592): Method=LOCAL

3w1d: AAA/AUTHEN (1863895592): status = GETUSER


Richard Burts Thu, 06/12/2008 - 03:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


Thank you for the debug output. It does clearly show that your 4500 is sending the TACACS request and is not receiving any response from the ACS server. It would seem logical that either something is preventing the TACACS request from getting to the server or that something in the request is causing the server to reject it.


Is it possible that there is somewhere along the data path from the 4500 to the server some device (perhaps a router with a filter or a firewall) which is denying the packet with the TACACS request from being forwarded to the server?


Perhaps it would be helpful if you would post the output of a traceroute from the 4500 to the ACS server.


When you attempt to authenticate on the 4500 are you getting any entries in the failed attempts on the ACS server at all?


HTH


Rick

Amin Shaikh Thu, 06/12/2008 - 07:40
User Badges:

Hello,


The output of traceroute


HQ#traceroute 192.168.2.55


Type escape sequence to abort.

Tracing the route to acs.hq.du.lan (192.168.2.55)


1 acs.hq.du.lan (192.168.2.55) 0 msec 0 msec 0 msec


I am able to ping both from ACS to Core and viceversa.


There is no firewall between them or any other security device.


On ACS Server I dont see any failed or even pass attempts...


Richard Burts Thu, 06/12/2008 - 07:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


The traceroute shows that they are directly connected which certainly reduces the possibility that some other device is getting in the way.


Could you post the output of show ip interface brief. And can you give us the address that is configured in ACS for this device?


HTH


Rick

Amin Shaikh Thu, 06/12/2008 - 08:06
User Badges:

the IP address of core is 172.20.68.1


The IP defined on ACS is 172.20.68.1 as well.


AAA Client IP address : 172.20.68.1

Shared Secret Key : Cisco

Authenticate using : TACACS+ (Cisco IOS)







Richard Burts Thu, 06/12/2008 - 08:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


I was re-reading this thread and found something that I do not understand. In several posts you show this for the TACACS server:

tacacs-server host 192.168.1.100


but the debugs and the traceroute are using 192.168.2.55 as the server address. Did you change the config?


HTH


Rick

Richard Burts Thu, 06/12/2008 - 08:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


Your response with the addressing is helpful. Thank you for posting this:

AAA Client IP address : 172.20.68.1

Shared Secret Key : Cisco

Authenticate using : TACACS+ (Cisco IOS)


But the traceroute seems to show that the 4500 is directly connected to the server on subnet 192.168.2.0. And so that would be the source address that the 4500 would use in its TACACS request. And the server would reject it because it is expecting 172.20.68.1 and is getting 192.168.2.x


There are at least 2 ways to fix this. You could add a command to the config of the 4500 and specify the source address to use:

ip tacacs source-interface

or you could change the config of the server so that it uses the 192.168.2 address of the 4500.


HTH


Rick

Amin Shaikh Thu, 06/12/2008 - 09:39
User Badges:

Thanks for your reply.


on the Core I have Two VLANs

VLAN 1 = 172.20.68.0/24 ( user-vlan ) with VLAN ID as 172.20.68.1


VLAN 2 = 192.168.2.0/24 (server-vlan )

with Vlan ID as 192.168.2.1


on core(4500) what should I configure the source-interface....


Correct Answer
Richard Burts Thu, 06/12/2008 - 09:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


Does it matter to you which interface is used for TACACS? If so then configure that interface as the source.


When you configured the ACS server you told it to expect packets to be from the address in VLAN 1. If you do not want to change the ACS configuration then configure VLAN 1 as the source address for TACACS.


HTH


Rick

Amin Shaikh Thu, 06/12/2008 - 10:23
User Badges:

Thanks, it worked with IP tacacs source-interface command.


I have one more query putting on another POST....


Thanks again....

Richard Burts Fri, 06/13/2008 - 09:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


I am glad that my suggestions were able to help you resolve your problem. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read a response which did help resolve the problem.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion