08-20-2008 12:56 PM - edited 03-10-2019 04:02 PM
Hi,
I want Routers to be authenticated via ACS Box and if ACS Box is unavailable then only local accounts created on Router should authenticate...
My setup allows Router local account authenticaion even if ACS Box is available...
Please help to resolve this...
My config :
aaa new-model
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
username alj password 7 0000111188888
tacacs-server host 192.168.1.100
tacacs-server directed-request
tacacs-server key 7 0000111199999999
ip tacacs source-interface GigabitEthernet0/0
08-20-2008 02:32 PM
Can you cross check that your tacacs-server also having the same tacacs-server key.
May be it is creating the problem
08-20-2008 11:46 PM
Its using the same Key.....
I get authenticated via ACS and Local Accounts.. but I want local account should only be authenticated if ACS server is down.
08-21-2008 08:19 AM
Can you share the config under "line vty"
08-21-2008 12:08 PM
line vty 5 15
transport input telnet ssh
08-21-2008 12:23 PM
debug aaa authentication
debug tacacs authentication
term mon
This would let you know if it is even letting you in using Local account, even if Tacacs server is UP.
I doubt that case, and I recommend running these debugs. As you commands are perfect for what you want to achieve, unless there is some bug in the code or unless we are missing something.
Regards,
Prem
08-21-2008 01:05 PM
Amin
I would like to understand better this statement of yours:
I get authenticated via ACS and Local Accounts.
How do you tell that you are authenticated via ACS and Local Accounts. Do you have a user ID that is in ACS but not local and another user ID that is local but not in ACS?
Or if you have a user ID that is in ACS and also locally configured, but has a different password in the local definition from ACS, then do both passwords work?
Understanding this may help us find a solution to your problem.
[edit] and I agree that the output of the debug aaa authentication and debug tacacs authentication would be quite helpful.
HTH
Rick
08-22-2008 04:20 AM
Yes,
I have a user ID that is in ACS but not local and another user ID that is local but not in ACS.
And both of them work when ACS BOX is reachable by the router.
===========================================
<< Let me rephrase my question >>
As an Admin Local Account created on Router should only be authenticated when ACS BOx is unreachable.
=============================================
08-22-2008 04:26 AM
debugs please :)
For the account that is local on device and ACS box should be reachable at that moment.
Regards,
Prem
08-22-2008 05:00 AM
329399: *Jun 23 09:28:05.375 PAK: %FAN-3-FAN_FAILED: Fan 1 had a rotation error reported.
329400: *Jun 23 09:28:16.767 PAK: AAA/BIND(00000082): Bind i/f
329401: *Jun 23 09:28:16.767 PAK: AAA/AUTHEN/LOGIN (00000082): Pick method list 'default'
329402: *Jun 23 09:28:16.767 PAK: TPLUS: Queuing AAA Authentication request 130 for processing
329403: *Jun 23 09:28:16.767 PAK: TPLUS: processing authentication start request id 130
329404: *Jun 23 09:28:16.767 PAK: TPLUS: Authentication start packet created for 130(paknt)
329405: *Jun 23 09:28:16.767 PAK: TPLUS: Using server 192.168.1.100
329406: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT/641C1728: Started 5 sec timeout
329407: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT: socket event 2
329408: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/NB_WAIT: wrote entire 43 bytes request
329409: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1
329410: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: Would block while reading
329411: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1
329412: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: read entire 12 header bytes (expect 16 bytes data)
329413: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: socket event 1
329414: *Jun 23 09:28:16.767 PAK: TPLUS(00000082)/1/READ: read entire 28 bytes response
329415: *Jun 23 09:28:16.771 PAK: TPLUS(00000082)/1/641C1728: Processing the reply packet
329416: *Jun 23 09:28:16.771 PAK: TPLUS: Received authen response status GET_PASSWORD (8)
329417: *Jun 23 09:28:26.179 PAK: TPLUS: Queuing AAA Authentication request 130 for processing
329418: *Jun 23 09:28:26.179 PAK: TPLUS: processing authentication continue request id 130
329419: *Jun 23 09:28:26.179 PAK: TPLUS: Authentication continue packet generated for 130
329420: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE/641C166C: Started 5 sec timeout
329421: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE: wrote entire 27 bytes request
329422: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out
329423: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out, clean up
329424: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/641C166C: Processing the reply packet
329425: *Jun 23 09:28:32.467 PAK: AAA: parse name=tty163 idb type=-1 tty=-1
329426: *Jun 23 09:28:32.467 PAK: AAA: name=tty163 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=163 channel=0
329427: *Jun 23 09:28:32.467 PAK: AAA/MEMORY: create_user (0x6461EB48) user='paknt' ruser='NULL' ds0=0 port='tty163' rem_addr='192.168.1.199' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
329428: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): port='tty163' list='' action=LOGIN service=ENABLE
329429: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): non-console enable - default to enable password
329430: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN/START (238219777): Method=ENABLE
329431: *Jun 23 09:28:32.467 PAK: AAA/AUTHEN(238219777): Status=GETPASS
329432: *Jun 23 09:28:35.375 PAK: %FAN-3-FAN_FAILED: Fan 1 had a rotation error reported.
329433: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN/CONT (238219777): continue_login (user='(undef)')
329434: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN(238219777): Status=GETPASS
329435: *Jun 23 09:28:40.395 PAK: AAA/AUTHEN/CONT (238219777): Method=ENABLE
329436: *Jun 23 09:28:40.399 PAK: AAA/AUTHEN(238219777): Status=PASS
329437: *Jun 23 09:28:40.399 PAK: AAA/MEMORY: free_user (0x6461EB48) user='NULL' ruser='NULL' port='tty163' rem_addr='192.168.1.199' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
08-22-2008 05:13 AM
Is 'paknt' a local user or a user on Tacacs server ?
Regards,
Prem
08-22-2008 07:35 AM
Its a local user created on Router, no such user exists on ACS Box.
08-22-2008 08:56 AM
Either something is not right the way your Tacacs is responding or something not right on the code, check this,
329420: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE/641C166C: Started 5 sec timeout
329421: *Jun 23 09:28:26.179 PAK: TPLUS(00000082)/1/WRITE: wrote entire 27 bytes request
329422: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out
329423: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/READ/641C166C: timed out, clean up
329424: *Jun 23 09:28:31.179 PAK: TPLUS(00000082)/1/641C166C: Processing the reply packet
After device sent the credentials to the TACACS server @ 09:28:26.179, The device started the 5sec timeout. And could not get a reply back from the authentication server in 5 sec i.e. (09:28:26.179 + 5 = 09:28:31.179), so device timed out on the Tacacs reply @ 09:28:31.179.
This triggered the fallback method, though IOS has not ozzed the fallback related debugs as I expected. But one thing is for sure, the device is timing out on the Tacacs reply.
Here are my suggestions.
- Increase the tacacs server timeout,
tacacs-server timeout
- Or try some other code.
To take a look at good debugs with your/similar configuration check the attachment.
Regards,
Prem
Please rate if it helps!
08-22-2008 09:20 AM
It looks to me like there is some issue on the TACACS server. The server is there and is at least somewhat active in the beginning of the transaction. The router sends the beginning of the transaction to the server and the router gets some resonse from the server as shown in:
329415: *Jun 23 09:28:16.771 PAK: TPLUS(00000082)/1/641C1728: Processing the reply packet
329416: *Jun 23 09:28:16.771 PAK: TPLUS: Received authen response status GET_PASSWORD (8)
but then the router sends the password, waits for a response, and gets no response. So it times out and falls back to local authentication.
HTH
Rick
09-05-2008 07:47 AM
As you have already told "paknt" is a local user account and no such user exists on Tacacs. So what I feel, if no such user is available on TAcacs, it will look for same user credentials on local database. You try to make one more user with same user name i.e. "paknt" and set different password for it....then try again. Then it should login with Tacacs username/password pair not with local user/password pair.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: