AAA configuration on switches 2960

Unanswered Question
Oct 2nd, 2008

Hi


I have introduced the following configuration of AAA in the switches of series 2950 and works very well,

but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.


Is needed some additional configuration of AAA in switches 2960?


Thanks.



tacacs-server host y.y.y.y

tacacs-server key xxxxx

aaa new-model

aaa authentication login acceso-consola group tacacs+ line

aaa authentication login acceso-telnet group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

line con 0

exec-timeout 0 0

login authentication acceso-consola

line vty 0 4

login authentication acceso-telnet


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
craig.eyre Thu, 10/02/2008 - 14:23

Hi,


Are you saying the local password doesn't work while the ACS is UP? If so, its designed to work that way to prevent local authentication while its active.


If you are saying that the local password doesn't work when the ACS fails, its because you used


aaa authentication login acceso-telnet group tacacs+ line


And your telnet lines show no password command enter under your config you posted.



HTH


Craig

carolinac Fri, 10/03/2008 - 05:41

Hi


The configuration has the password


line vty 0 4

password 1234

login authentication acceso-telnet


but doesn't work with the local passwords.


Jagdeep Gambhir Fri, 10/03/2008 - 06:59

Get the debugs and that will let us know what is happening,



debug aaa authentication

debug tacacs



Regards,

~JG

Richard Burts Mon, 10/06/2008 - 03:17

Maria


Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.


Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?


I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.


If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.


HTH


Rick

carolinac Mon, 10/06/2008 - 08:00

Hi


The problem is:

1. I have introduced the AAA configuration in the switches WS-C2960-24TT-L and the local password does not work. I do not have management of the switch.

2. If I add the switch to the ACS,it authenticates and it works well.


Recently I update the version to qualify ssh to 12.2(44)SE. This can affect in something? or do I need some additional configuration ?


Richard Burts Mon, 10/06/2008 - 08:34

Maria


If it works well when you add the switch to ACS then it seems to me to be obvious that the best solution is to add the switches to ACS.


HTH


Rick

craig.eyre Mon, 10/06/2008 - 09:00

Hi,


I would have to agree with Rick on this one. If you add the switch to the ACS and it works, that's the whole design behind the AAA/ACS process.


Before you add the switch to the ACS what prompt do you get when you login to the switch? Username then password prompts or just a password prompt? Are you trying to telnet or console in or both? Have you configured a local user on the switch with privlege 15?


If you could post the whole switch config minus passwords of course, we could have a look.


Other than that the config for AAA looks good and seems to be working properly when you add the switch to the ACS.



Craig

carolinac Mon, 10/06/2008 - 11:21

hi


My initial question is if some special configuration is needed for 2960 switches so that it accepts local passwords. That is what it does not work. I do not have any prompt. I do not have management of the switch.


Richard Burts Mon, 10/06/2008 - 12:16

Maria


I have asked for some clarification about the environment which you have not yet provided. So it is difficult to have really good answers to your question. But it is obvious that you have an inconsistent environment and that is what is causing your problem. You have told the switches to use TACACS but you have not told the server to respond to the switches.


The solution to your problem is consistency. Either configure both the switches and the ACS server for authentication or remove the TACACS configuration from the switches. That is the special configuration that will solve your problem.


HTH


Rick

carolinac Mon, 10/06/2008 - 12:45

Hi


My problem is not with the ACS and tacacs. It works fine.

But suppose that the ACS fails. I must enter to switches by local passwords and if they do not serve to me......?

The configuration that i am sending in the attatchment is the same configuration i use in switch series 2900,2950,2970, and in no one of them i have that problem, Only with switches 2960.

I send again the debug.


thanks,



Richard Burts Mon, 10/06/2008 - 13:05

Maria


I would ask you to do a test with a 2950 which works as you want. Do the same kind of failure with the 2950 that you were doing with the 2960 and run the debugs and then post the output.


If we see that the 2950 also receives the response with errno 254 and that the 2950 does go ahead and use the line password, then we will know that there is some problem with the 2960.


HTH


Rick

Richard Burts Tue, 10/07/2008 - 03:57

Maria


Thanks for running the test on the 2950 and posting the output. It shows, as I expected it would, that the ACS response to the 2950 is significantly different from its response to the 2960. And the significantly different response to the 2950 allows the 2950 to use the local password. If you get the same response to the 2960 it will also use the local password.


From the test results on the 2950 here are the essential output:

3d00h: TAC+: received bad AUTHEN packet: type = 0, expected 1

3d00h: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).


And from the 2960 here is the equivalent output:

Oct 3 11:16:07: TPLUS(00000003)/0/READ: errno 254


It looks to me like either you have configured something significantly differently in ACS for the 2960 than you did for the 2950 or that the way that you create the error is significantly different on the 2960 than it is on the 2950.


In any case it is the different response from ACS that prevents the 2960 from using the local password. If the ACS returns the same message to the 2960 as it does to the 2950 then I believe that the 2960 will use the local password.


HTH


Rick

craig.eyre Mon, 10/06/2008 - 12:23

Hi,



You mentioned in a previous post that if you add it to the acs you can login fine.


I might have missed your answer in your previous post but can you:


1. login and see if you've setup a local username and password in the switch.(you'll need to add switch to ACS)

2. You get no prompt from console or telnet?


These 2 lines below note that if tacacs fails(and only if the switch cannot communicate with ACS) that it will default to using ONLY the password configured on CON 0 or VTY lines.


If you have a local username and password configured and you substituted LOCAL for LINE in your config then you would use that username and password IF the ACS failed.


*********************************************

aaa authentication login acceso-consola group tacacs+ line

aaa authentication login acceso-telnet group tacacs+ line

*********************************************


You might already know the stuff I mentioned but I need to address it just in case you aren't familiar with it.



Craig

craig.eyre Mon, 10/06/2008 - 13:45

Hi,


I know you mentioned that you used the same config on your 2950's and your 2960's but is it possible to post the config from the same 2950 that you just did the debug on?


Thanks,


Craig

Actions

This Discussion