Configure AAA TACACS+ with ACS

Unanswered Question
Oct 17th, 2008

I want to authenticate telnet connections with TACACS +.

This is my router configuration settings:

aaa new-model

aaa authentication login telnetssh group tacacs+ enable local

!

aaa session-id common

tacacs-server host 10.10.10.5

tacacs-server host 10.10.10.6

tacacs-server directed-request

tacacs-server key superclave

line vty 0 4

password CISCO

logging synchronous

login authentication telnetssh

transport input ssh

!

no cns aaa enable

The configuration in the ACS 4.1 is very simple, just set the following

===================

USER SETUP:

User: PRUEBA

User Setup:

Password Autehntication -> ACS Internal Database

PAP password/password

Group to which the user is assigned -> Grupo 1

Callback -> User group setting

Client IP Address Assignement -> Use group setting

Account Disable -> Never

Advanced TACACS+ Settings

TACACS+ Enable Control: -> Use Group Level Setting

TACACS+ Enable Password -> Use CiscoSecure PAP password

======================

GROUP SETUP:

Group Setup: Grupo 1

All default, except:

TACACS+Settings

Choice: Shell (exec)

Shell Command Authorization Set -> None

======================

In Network Configuration create a new client AAA

AAA client IP Address -> "ip_router"

Shared Secret superclave

Authenticate Using => TACACS + (Cisco IOS)

================

It doesn't work. What may be happening? Missing settings in the ACS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 10/17/2008 - 09:44

Susana

My first guess at the problem is that the address used in ACS for the client does not match the source address used by the device when it sends the authentication request. If that is the case then you can use the command ip tacacs source-interface to specify the address on the device that matches the configuration of ACS.

The best way to check on this is to look in ACS at the failed attempts report. If you check the failed attempts report do you see the attempts from this device? If so the report will indicate what the error is.

HTH

Rick

Jagdeep Gambhir Mon, 10/20/2008 - 05:01

Yes, as suggested by Rick please issue ip tacacs source interface command. This command is required for layer 3 device.

Even if you don't see any hits in acs failed attempts then also issue this command. Sometimes acs do not logs any message in failed attempts.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion