cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1504
Views
0
Helpful
4
Replies

ACS 5.0 - TACACS Authenication Not Working Out of Box

ericn8484_2
Level 1
Level 1

I am looking to convert to Cisco ACS 5.0 in the future. Our current use for ACS is Tacacs+ authenication and in the future we would like to do PEAP authenication for wireless however we have an issue with wireless clients that prevents us from using PEAP at this time. ACS 5.0 looks to be able to meet our requirements of the software while providing a more standard interface, better manageability of devices, etc.

I am currently running into a snag trying toget Tacacs+ to work out of the box. I have the system setup and basic as possible by adding the device in the resource group and checking Tacacs with the key, creating an internal user for test but eventually will switch to AD, using the base Permit access shell profile as well as tried creating a new one with leve 15 access, Under Access policy I have the identity as local under Default Device Admin as well setting the default behavior has Permit Access.

However when I try to perform authenication, it always errors out with code 13012 but I have been unable to figure out why. I have provided my AAA config on the switch, the AAA debug log from ACS as well as the Debug from the switch. Does anyone have any idea's on what is going wrong or better yet, what I am doing wrong?

Thanks

Switch Configuration:

username admin privilege 15 password test

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

tacacs-server directed-request

tacacs-server key testkey

tacacs-server host (Server IP)

ACS AAA Debug Log:

Logged At: 2:57:10.323 PM

ACS Session ID: FVM-ACS-01/32037700/49

Severity: ERROR

Message: TACACS: Invalid TACACS+ authentication request

Category: CSCOacs_TACACS_Diagnostics

Code: 13012

Details:

ACTION=Login

ACTION_3=Login

AUTHENTYPE=ASCII

AUTHENTYPE_5=ASCII

CISCOIOS=false

CONFIGVERSIONID=65

DEVICEIPADDRESS= (Switch IP)

DEVICEPORT=39473

ENABLESINGLECONNECT=false

HEADERFLAGS=Encrypted

MAJORVERSION=Default

MINORVERSION=Default

PRIVILEGELEVEL=1

PRIVILEGELEVEL_4=1

RESPONSE={AuthenticationResult=NotAllowed; MajorVersion=Default; MinorVersion=Default; Type=Authentication; Header-Flags=Encrypted; SessionId=212139626; Authen-Reply-Status=Error; }

SELECTEDACCESSSERVICE=Default Device Admin

SEQUENCENUMBER=5

SEQUENCENUMBER_1=6

SERVICE=Login

SERVICE_6=Login

SESSIONID=212139626

SESSIONID_2=212139626

TYPE=Authentication

USESINGLECONNECT=false

ACS Instance: FVM-ACS-01

4 Replies 4

ericn8484_2
Level 1
Level 1

Switch Tacacs DEBUG log:

*Mar 1 00:09:26.021: TPLUS: Queuing AAA Authentication request 10 for processing

*Mar 1 00:09:26.021: TPLUS: processing authentication start request id 10

*Mar 1 00:09:26.021: TPLUS: Authentication start packet created for 10()

*Mar 1 00:09:26.021: TPLUS: Using server (Server IP)

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/NB_WAIT/3BF1A9C: Started 20 sec timeout

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/NB_WAIT: socket event 2

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/NB_WAIT: wrote entire 34 bytes request

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/READ: Would block while reading

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/READ: read entire 12 header bytes (expect 20 bytes data)

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/READ: read entire 32 bytes response

*Mar 1 00:09:26.029: TPLUS(0000000A)/0/3BF1A9C: Processing the reply packet

*Mar 1 00:09:26.029: TPLUS: Received authen response status GET_USER (7)

*Mar 1 00:09:27.472: TPLUS: Queuing AAA Authentication request 10 for processing

*Mar 1 00:09:27.472: TPLUS: processing authentication continue request id 10

*Mar 1 00:09:27.472: TPLUS: Authentication continue packet generated for 10

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/WRITE/3BEE6D4: Started 20 sec timeout

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/WRITE: wrote entire 27 bytes request

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/READ: read entire 12 header bytes (expect 20 bytes data)

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/READ: read entire 32 bytes response

*Mar 1 00:09:27.472: TPLUS(0000000A)/0/3BEE6D4: Processing the reply packet

*Mar 1 00:09:27.472: TPLUS: Received authen response status GET_PASSWORD (8)

*Mar 1 00:09:28.730: TPLUS: Queuing AAA Authentication request 10 for processing

*Mar 1 00:09:28.730: TPLUS: processing authentication continue request id 10

*Mar 1 00:09:28.730: TPLUS: Authentication continue packet generated for 10

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/WRITE/2F3E484: Started 20 sec timeout

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/WRITE: wrote entire 21 bytes request

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/READ: read entire 12 header bytes (expect 6 bytes data)

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/READ: socket event 1

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/READ: read entire 18 bytes response

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/2F3E484: Processing the reply packet

*Mar 1 00:09:28.730: TPLUS: Received Authen status error

*Mar 1 00:09:28.730: TPLUS(0000000A)/0/REQ_WAIT/2F3E484: timed out

*Mar 1 00:09:28.730: TPLUS: Choosing next server (Server IP)

*Mar 1 00:09:28.739: TPLUS(0000000A)/1/NB_WAIT/2F3E484: Started 20 sec timeout

*Mar 1 00:09:28.739: TPLUS(0000000A)/2F3E484: releasing old socket 0

*Mar 1 00:09:28.739: TPLUS(0000000A)/1/2F3E484: Processing the reply packet

*Mar 1 00:09:30.744: TPLUS: Queuing AAA Authentication request 10 for processing

*Mar 1 00:09:30.744: TPLUS: processing authentication start request id 10

*Mar 1 00:09:30.744: TPLUS: Authentication start packet created for 10()

Eric

The debug from the switch shows the switch communicating with the server, and getting reguests to get user and to get password. From this we can be sure that the problem is not that the key entered is incorrect, and that the source address used by the switch matches the address configured in TACACS (and these are common mistakes).

So the server gets the user ID and password but then return an error. I wonder if the problem might be some issue with the way that the user was set up in TACACS (but if it were I would expect the response to be reject and not error). Is it possible that some part of the TACACS service is not running as it should be?

HTH

Rick

HTH

Rick

I thought about the user account being the issue as I started out testing AD authenication first so thats when I switched to internal. I noticed in the logs that ACS has not performed any successful or failed authenication attempts so it seems to be something with the TACACS service and its not even getting to the point of checking the username/pw.

Seems likea conflict of what I am using for TACACS on the switch and on ACS. However I have perfomed this test on an older IOS as well as the latest IOS for the 3560 series switches. The ACS version is 5.0 running on an ESX virtual appliance. There are very few settings that I can find for TACACS on the virtual appliance and I do not see where I can check for services.

I find it hard to believe as well that the base install would not have the proper settings to run the standard TACACS settings on the switchs.

Thanks for the ideas.

I was able to work with Nate from Cisco TAC to resolve this error and thought I would post it in case anyone else comes across the same issue.

The problem is that the Default Device Admin policy is not configured for PAP/ASCII which is what the switches use to authenicate through TACACS+.

To make this change, go to Access Policies - > Click on Access Services and then click on the Default Device Admin policy. On there, go to the Allows Protocols tab and check "Allow PAP/ASCII".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: