Local Account Authentication - Concern

Unanswered Question
Aug 20th, 2008
User Badges:

Hi,


I want Routers to be authenticated via ACS Box and if ACS Box is unavailable then only local accounts created on Router should authenticate...


My setup allows Router local account authenticaion even if ACS Box is available...


Please help to resolve this...


My config :


aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+


username alj password 7 0000111188888



tacacs-server host 192.168.1.100

tacacs-server directed-request

tacacs-server key 7 0000111199999999


ip tacacs source-interface GigabitEthernet0/0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chaitu_kranthi Wed, 08/20/2008 - 14:32
User Badges:

Can you cross check that your tacacs-server also having the same tacacs-server key.


May be it is creating the problem

Amin Shaikh Wed, 08/20/2008 - 23:46
User Badges:

Its using the same Key.....


I get authenticated via ACS and Local Accounts.. but I want local account should only be authenticated if ACS server is down.



Premdeep Banga Thu, 08/21/2008 - 12:23
User Badges:
  • Gold, 750 points or more

debug aaa authentication

debug tacacs authentication

term mon


This would let you know if it is even letting you in using Local account, even if Tacacs server is UP.


I doubt that case, and I recommend running these debugs. As you commands are perfect for what you want to achieve, unless there is some bug in the code or unless we are missing something.


Regards,

Prem

Richard Burts Thu, 08/21/2008 - 13:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amin


I would like to understand better this statement of yours:

I get authenticated via ACS and Local Accounts.

How do you tell that you are authenticated via ACS and Local Accounts. Do you have a user ID that is in ACS but not local and another user ID that is local but not in ACS?


Or if you have a user ID that is in ACS and also locally configured, but has a different password in the local definition from ACS, then do both passwords work?


Understanding this may help us find a solution to your problem.


[edit] and I agree that the output of the debug aaa authentication and debug tacacs authentication would be quite helpful.


HTH


Rick

Amin Shaikh Fri, 08/22/2008 - 04:20
User Badges:

Yes,

I have a user ID that is in ACS but not local and another user ID that is local but not in ACS.


And both of them work when ACS BOX is reachable by the router.



===========================================

<< Let me rephrase my question >>


As an Admin Local Account created on Router should only be authenticated when ACS BOx is unreachable.

=============================================

Premdeep Banga Fri, 08/22/2008 - 04:26
User Badges:
  • Gold, 750 points or more

debugs please :)


For the account that is local on device and ACS box should be reachable at that moment.


Regards,

Prem

Amin Shaikh Fri, 08/22/2008 - 05:00
User Badges:


329399: *Jun 23 09:28:05.375 PAK: %FAN-3-FAN_FAILED: Fan 1 had a rotation error reported.

329400: *Jun 23 09:28:16.767 PAK: AAA/BIND(00000082): Bind i/f

329401: *Jun 23 09:28:16.767 PAK: AAA/AUTHEN/LOGIN (00000082): Pick method list 'default'

329402: *Jun 23 09:28:16.767 PAK: TPLUS: Queuing AAA Authentication request 130 for processing

329403: *Jun 23 09:28:16.767 PAK: TPLUS: processing authentication start request id 130

329404: *Jun 23 09:28:16.767 PAK: TPLUS: Authentication start packet created for 130(paknt)

329405: *Jun 23 09:28:16.767 PAK: TPLUS: Using server 192.168.1.100

329406: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT/641C1728: Started 5 sec timeout

329407: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT: socket event 2

329408: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT: wrote entire 43 bytes request

329409: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1

329410: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: Would block while reading

329411: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1

329412: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: read entire 12 header bytes (expect 16 bytes data)

329413: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1

329414: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: read entire 28 bytes response

329415: *Jun 23 09:28:16.771 PAK: TPLUS(00000082)/1/641C1728: Processing the reply packet

329416: *Jun 23 09:28:16.771 PAK: TPLUS: Received authen response status GET_PASSWORD (8)

329417: *Jun 23 09:28:26.179 PAK: TPLUS: Queuing AAA Authentication request 130 for processing

329418: *Jun 23 09:28:26.179 PAK: TPLUS: processing authentication continue request id 130

329419: *Jun 23 09:28:26.179 PAK: TPLUS: Authentication continue packet generated for 130

329420: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE/641C166C: Started 5 sec timeout

329421: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE: wrote entire 27 bytes request

329422: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out

329423: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out, clean up

329424: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/641C166C: Processing the reply packet

329425: *Jun 23 09:28:32.467 PAK: AAA: parse name=tty163 idb type=-1 tty=-1

329426: *Jun 23 09:28:32.467 PAK: AAA: name=tty163 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=163 channel=0

329427: *Jun 23 09:28:32.467 PAK: AAA/MEMORY: create_user (0x6461EB48) user='paknt' ruser='NULL' ds0=0 port='tty163' rem_addr='192.168.1.199' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

329428: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): port='tty163' list='' action=LOGIN service=ENABLE

329429: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): non-console enable - default to enable password

329430: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): Method=ENABLE

329431: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN(238219777): Status=GETPASS

329432: *Jun 23 09:28:35.375 PAK: %FAN-3-FAN_FAILED: Fan 1 had a rotation error reported.

329433: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN/CONT (238219777): continue_login (user='(undef)')

329434: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN(238219777): Status=GETPASS

329435: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN/CONT (238219777): Method=ENABLE

329436: *Jun 23 09:28:40.399 PAK: AAA/AUTHEN(238219777): Status=PASS

329437: *Jun 23 09:28:40.399 PAK: AAA/MEMORY: free_user (0x6461EB48) user='NULL' ruser='NULL' port='tty163' rem_addr='192.168.1.199' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

Premdeep Banga Fri, 08/22/2008 - 05:13
User Badges:
  • Gold, 750 points or more

Is 'paknt' a local user or a user on Tacacs server ?


Regards,

Prem

Amin Shaikh Fri, 08/22/2008 - 07:35
User Badges:

Its a local user created on Router, no such user exists on ACS Box.



Premdeep Banga Fri, 08/22/2008 - 08:56
User Badges:
  • Gold, 750 points or more

Either something is not right the way your Tacacs is responding or something not right on the code, check this,


329420: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE/641C166C: Started 5 sec timeout

329421: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE: wrote entire 27 bytes request

329422: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out

329423: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out, clean up

329424: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/641C166C: Processing the reply packet


After device sent the credentials to the TACACS server @ 09:28:26.179, The device started the 5sec timeout. And could not get a reply back from the authentication server in 5 sec i.e. (09:28:26.179 + 5 = 09:28:31.179), so device timed out on the Tacacs reply @ 09:28:31.179.


This triggered the fallback method, though IOS has not ozzed the fallback related debugs as I expected. But one thing is for sure, the device is timing out on the Tacacs reply.


Here are my suggestions.

- Increase the tacacs server timeout,

tacacs-server timeout (default is 5sec)


- Or try some other code.


To take a look at good debugs with your/similar configuration check the attachment.


Regards,

Prem


Please rate if it helps!



Attachment: 
Richard Burts Fri, 08/22/2008 - 09:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It looks to me like there is some issue on the TACACS server. The server is there and is at least somewhat active in the beginning of the transaction. The router sends the beginning of the transaction to the server and the router gets some resonse from the server as shown in:

329415: *Jun 23 09:28:16.771 PAK: TPLUS(00000082)/1/641C1728: Processing the reply packet

329416: *Jun 23 09:28:16.771 PAK: TPLUS: Received authen response status GET_PASSWORD (8)

but then the router sends the password, waits for a response, and gets no response. So it times out and falls back to local authentication.


HTH


Rick

pranuv.pandit Fri, 09/05/2008 - 07:47
User Badges:

As you have already told "paknt" is a local user account and no such user exists on Tacacs. So what I feel, if no such user is available on TAcacs, it will look for same user credentials on local database. You try to make one more user with same user name i.e. "paknt" and set different password for it....then try again. Then it should login with Tacacs username/password pair not with local user/password pair.

Actions

This Discussion