Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
3
Helpful
2
Replies

tacacs not using vpn tunnel

richardcalvert
Level 1
Level 1

‎05-27-2009 08:47 AM - edited ‎03-10-2019 04:30 PM

this is my AAA config;

aaa authentication login default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated local

aaa accounting connection default start-stop group tacacs+

aaa session-id common

tacacs-server host 201.0.99.97 key ************

The ip address if the acs server (99.97) is an internal IP. When I set the internal IP as the tacacs source, the authentication fails over to the enable password.

Here is the tacacs debug;

01:33:57: TPLUS: Queuing AAA Authentication request 2 for processing

01:33:57: TPLUS: processing authentication start request id 2

01:33:57: TPLUS: Authentication start packet created for 2()

01:33:57: TPLUS: Using server 201.0.99.97

01:33:57: TPLUS(00000002): Select released but nopeername.. Failover

01:34:00: TPLUS: Queuing AAA Authorization request 2 for processing

01:34:00: TPLUS: processing authorization request id 2

01:34:00: TPLUS: Sending AV service=shell

01:34:00: TPLUS: Sending AV cmd*

01:34:00: TPLUS: Authorization request created for 2()

01:34:00: TPLUS: Using server 201.0.99.97

01:34:01: TPLUS(00000002): Select released but nopeername.. Failover

If I change the tacacs source to the outside IP of the acs server then I authenticate with acs just fine. I use the same config on a few 1841/61's as well as a couple 2800, all of which are using the internal ip of my acs server.

Where should I be looking to figure this out?

Thanks, Richard

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎05-28-2009 09:48 AM

Richard

If I am understanding your situation correctly then the issue is that the source address that you specify on your device must match the address configured in the TACACS server for that client. If you authenticate ok when you specify the outside address then obviously this is the address configured in TACACS. And so if you specify a different address as the source then it no longer matches the address configured on the server.

HTH

Rick

HTH

Rick

richardcalvert
Level 1
Level 1
In response to Richard Burts

‎05-28-2009 09:55 AM

The source address for the device is the same address listed in the tacacs server. The problem I'm having is with the tacacs server IP not the source IP. I'm using a perimiter server (for tacacs) that has both an internal and an external IP. The way I have most of my aaa traffic flowing is through vpn from the device to the tacacs server on the servers internal IP. I'm unable to make this happen with the 1700's thus far, they only communicate with the tacacs server when I tell the device to use the tacacs servers external IP address.

Thanks for helping out :)

0 Helpful
Customers Also Viewed These Support Documents