Tacacs issues on a c880

Unanswered Question
Oct 29th, 2008

I have attached the debug. From the spoke site I can telnet to the tacacs server's management port. I don't see failed attempts on the tacacs server so I get the impression that it's not making it there or back. Can someone take a look at the debug and let me know what if anything my be wrong.

Thanks in advance!!

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 10/30/2008 - 08:51

Brent

I have looked at the information that you posted. The debug shows that it is sending requests, and seems to show that it processes a reply. But there is no indication of what the reply is. I find that quite odd. I might suggest that you add debug tacacs packet and test again. It would show more detail of what is going back and forth.

I notice several things in the commands that you post that might be issues. You show configuration of the server but do not show the configuration of the key (or shared secret) that the router and the server use to protect their transmissions. If the keys do not match you will not authenticate with the server (though that usually does create entries in the failed attempts report indicating invalid key).

I also notice that you define the server group as Netadmin but in the authentication command you call for NMM-Netadmin. And under the vty lines you specify the authentication method as Netadmin but in the authentication command you call it NMM-Netadmin.

Perhaps you can clarify some of these things?

HTH

Rick

Brent Rockburn Thu, 10/30/2008 - 09:23

Here is a new debug file.

Sorry about the nmm-netadmin versus the other one I was just trying to edit stuff on the text file.

I'm getting an error in the debug I don't know what exactly it means as it's a little ambiguous.

thanks for the help.

Richard Burts Thu, 10/30/2008 - 09:39

Brent

That does help to clarify a little. Clearly the router is sending a request. Some packet is received in response but there is an error in reading the packet header. It would be nice to know more about the error, but the debug is not helpful about that.

I wonder how it would work if you remove the single-connection parameter from the server configuration on the router.

Also can you verify that the TACACS server is working properly? Is it authenticating for other clients?

Is there anything unique about the configuration in the server for client 10.50.2.176?

Does the server have any entries in its failed attempts file that correspond to the time when you are testing?

HTH

Rick

Brent Rockburn Thu, 10/30/2008 - 10:28

Hey,

I've verified that the tacacs server is running properly as I use it on all my security devices like fw's and others. I have removed the "single-connection" and now I am getting the following at the tail end

*Oct 30 16:52:16.847: TPLUS(0000001B)/0/NB_WAIT: wrote entire 45 bytes request

*Oct 30 16:52:16.847: TPLUS(0000001B)/0/READ: socket event 1

*Oct 30 16:52:16.847: TPLUS(0000001B)/0/READ: Would block while reading

*Oct 30 16:52:16.867: TPLUS(0000001B)/0/READ: socket event 1

*Oct 30 16:52:16.867: TPLUS(0000001B)/0/READ: read 0 bytes

*Oct 30 16:52:16.871: TPLUS(0000001B)/0/READ: socket event 1

*Oct 30 16:52:16.871: TPLUS(0000001B)/0/READ: errno 254

*Oct 30 16:52:16.871: TPLUS(0000001B)/0/853AF00C: Processing the reply packet

The strange thing is that when I look at the failed attempts on the server I don't see anything .. it's like it never makes it there but I know it does I see it in the debug ..

Richard Burts Thu, 10/30/2008 - 11:21

Brent

Is there any possibility that there is a firewall or IDS/IPS that could be intercepting the request and generating/proxying a response?

HTH

Rick

Brent Rockburn Thu, 10/30/2008 - 11:27

No there is no firewall.

Also I can telnet from the router to the management port of the tacacs server .. so I know it can indeed connect.

Richard Burts Thu, 10/30/2008 - 11:55

Brent

I have assumed since your original post that basic IP connectivity was not an issue. So I am looking for possible reasons why the request does not show up at the server - which is especially puzzling since some kind of response seems to get to the router.

HTH

Rick

Brent Rockburn Thu, 10/30/2008 - 11:57

yes I agree very strange.

I think I'll open up a TAC. Maybe there is something I'm missing.

Thanks for your help

Take care.

cisco24x7 Thu, 10/30/2008 - 11:59

The way you go about troubleshooting this issue

is wrong. You need to do the following:

- run tcpdump on the tacacs server and see if

it even completes a 3-way hand-shake, like this:

13:54:26.712822 192.168.15.248.11030 > 10.0.0.10.49: S 533573034:533573034(0) win 4128

13:54:26.712860 10.0.0.10.49 > 192.168.15.248.11030: S 86308781:86308781(0) ack 533573035 win 5840 (DF)

13:54:26.714667 192.168.15.248.11030 > 10.0.0.10.49: . ack 1 win 4128

13:54:26.715946 192.168.15.248.11030 > 10.0.0.10.49: . 1:39(38) ack 1 win 4128

- run tcpdump on the tacacs server and capture

it to a file so that you can view it with

ethereal/wireshark:

tcpdump -s 1500 -w /tmp/tacacs.cap -i eth0 -nnn host router_ip_address and port 49

- Now view the file tacacs.cap with ethereal.

You can find out why tacacs is not working.

The other thing to keep in mind is that the

tacacs key you enter on the router is kinda

tricky. "abc123 " is NOT the same as

"abc123". The extra space in the end could

cause issue. You can not decode it with

tcpdump because the packet is encrypted.

rtanner Thu, 10/30/2008 - 17:06

I managed to generate the output

Oct 31 11:03:59.204: TPLUS(0000005A)/0/NB_WAIT: wrote entire 38 bytes request

Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: socket event 1

Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: Would block while reading

Oct 31 11:03:59.204: TPLUS(0000005A)/0/READ: socket event 1

Oct 31 11:03:59.208: TPLUS(0000005A)/0/READ: errno 254

Oct 31 11:03:59.208: TPLUS(0000005A)/0/847809C0: Processing the reply packet

which includes the same errno (254) as the OP's output. It was generated by not configuring the end point as a client in the ACS.

which leads to the suggestion to confirm the correct source interface is configured in ACS

HTH

Ross

Brent Rockburn Fri, 10/31/2008 - 08:50

So the issue was that I needed to specify a tacacs interface and I also didn't configure the subnet for that interface on the ACS server. Once I did both it worked like a dream.

Thanks for all the help

Actions

This Discussion