Configure AAA TACACS+ with ACS

Unanswered Question
Oct 17th, 2008
User Badges:

I want to authenticate telnet connections with TACACS +.

This is my router configuration settings:

aaa new-model

aaa authentication login telnetssh group tacacs+ enable local

!

aaa session-id common


tacacs-server host 10.10.10.5

tacacs-server host 10.10.10.6

tacacs-server directed-request

tacacs-server key superclave


line vty 0 4

password CISCO

logging synchronous

login authentication telnetssh

transport input ssh

!

no cns aaa enable


The configuration in the ACS 4.1 is very simple, just set the following

===================

USER SETUP:

User: PRUEBA

User Setup:

Password Autehntication -> ACS Internal Database

PAP password/password

Group to which the user is assigned -> Grupo 1

Callback -> User group setting

Client IP Address Assignement -> Use group setting

Account Disable -> Never

Advanced TACACS+ Settings

TACACS+ Enable Control: -> Use Group Level Setting

TACACS+ Enable Password -> Use CiscoSecure PAP password

======================


GROUP SETUP:

Group Setup: Grupo 1

All default, except:

TACACS+Settings

Choice: Shell (exec)

Shell Command Authorization Set -> None

======================

In Network Configuration create a new client AAA

AAA client IP Address -> "ip_router"

Shared Secret superclave

Authenticate Using => TACACS + (Cisco IOS)

================

It doesn't work. What may be happening? Missing settings in the ACS?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 10/17/2008 - 09:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Susana


My first guess at the problem is that the address used in ACS for the client does not match the source address used by the device when it sends the authentication request. If that is the case then you can use the command ip tacacs source-interface to specify the address on the device that matches the configuration of ACS.


The best way to check on this is to look in ACS at the failed attempts report. If you check the failed attempts report do you see the attempts from this device? If so the report will indicate what the error is.


HTH


Rick

Jagdeep Gambhir Mon, 10/20/2008 - 05:01
User Badges:
  • Red, 2250 points or more

Yes, as suggested by Rick please issue ip tacacs source interface command. This command is required for layer 3 device.


Even if you don't see any hits in acs failed attempts then also issue this command. Sometimes acs do not logs any message in failed attempts.


Regards,

~JG


Do rate helpful posts

Actions

This Discussion