Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2189
Views
0
Helpful
5
Replies

TACACS not working - Need help

dipumj
Level 1
Level 1

‎02-09-2009 04:12 AM - edited ‎03-10-2019 04:19 PM

Hi,

I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.

Configuration pasted below

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

ip tacacs source-interface VLAN1

tacacs-server host X.X.X.X

tacacs-server host 10.10.10.4

tacacs-server key 7 ####################333

tacacs-server administration

aaa group server tacacs+ tacacs1

server-private 10.10.10.4 key ############

ip vrf forwarding LAN

ip tacacs source-interface VLAN1

Labels:
0 Helpful
5 Replies 5

Ivan Martinon
Level 7
Level 7

‎02-09-2009 10:12 AM

I believe there is a known issue with this setup and you might need to enter into server mode and then define the vrf forwarding interface something like this:

aaa group server tacacs+ TEST

server X.X.X.X

ip vrf forwarding LAN

!

0 Helpful

dipumj
Level 1
Level 1
In response to Ivan Martinon

‎02-10-2009 04:13 AM

Hi,

Thanks you so much for your mail,

I have tried with this but still I am not able make it success

aaa group server tacacs+ tacacs1

server 10.10.10.14

server 10.10.10.45

ip vrf forwarding LAN

ip tacacs source-interface Vlan1

It showing authorisation failed when I try a new VTY session.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to dipumj

‎02-10-2009 07:11 AM

You might need to get some debugs on this box as well as the failed logs from your TACACS server.

0 Helpful

dipumj
Level 1
Level 1
In response to Ivan Martinon

‎02-12-2009 06:38 AM

Hi sorry for late reply.

Please find below the logs from the router

Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2

Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC

Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)

Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f

Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START

Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0

Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284

Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1

Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0

Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default'

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL

Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET

Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0

Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD

Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled

Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'

Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default

Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3

Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC

Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'

Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default

Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0

Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2

Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0

Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled

Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'

Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default

Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3

Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC

Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)

Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP

Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests

Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found

Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued

0 Helpful

smak74
Level 1
Level 1

‎05-07-2009 11:14 AM

aaa authentication login default group tacacs1 line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs1 if-authenticated

aaa authorization commands 0 default group tacacs1 if-authenticated

aaa authorization commands 1 default group tacacs1 if-authenticated

aaa authorization commands 15 default group tacacs1 if-authenticated

aaa accounting exec default start-stop group tacacs1

aaa accounting commands 0 default start-stop group tacacs1

aaa accounting commands 1 default start-stop group tacacs1

aaa accounting commands 15 default start-stop group tacacs1

aaa accounting network default start-stop group tacacs1

ip tacacs source-interface VLAN1

aaa group server tacacs+ tacacs1

server-private 10.10.10.4 key ############

ip vrf forwarding LAN

ip tacacs source-interface VLAN1

Remove the config below:

tacacs-server host X.X.X.X

tacacs-server host 10.10.10.4

tacacs-server key 7 ####################333

tacacs-server administration

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents