Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8702
Views
14
Helpful
11
Replies

AAA Authentication

Go to solution
Mavrick25
Level 1
Level 1

‎10-22-2009 02:14 AM - edited ‎03-10-2019 04:45 PM

Hello Everyone.

I'm not an expert in AAA Authentication that's why I'm here..

We 3 routers, 1 of which works with Authentication and the other 2 that don't.

We have configured the following:

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated.

The problem is that when I try to connect using the TACACS server username and password it gives me a generic error message the classic.

% Athentication Failed

But if I try the local username and password it works..

How come, it's not a problem of routing because the one that works uses the same exit point to reach the server as the one that doesn't, the only difference that exists is the IOS is different..

Can anyone point me in the right direction? Please and thank you

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Mavrick25

‎10-22-2009 07:31 AM

Did you check the shared secret key, on ACS NDG key over rites aaa-client key.

Make sure key is not an issue.

Regards,

~JG

View solution in original post

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Mavrick25

‎10-23-2009 04:04 AM

Hi Mav,

Thanks for sharing the solution :)

That is why I asked you to run the debugs. Just wanted to share with you that whenever we have key mis-match issue.

We will see thses kind of debugs:

AUTHEN/START/LOGIN/ASCII queued

TAC+: AUTHEN/START/LOGIN/ASCII processed

TAC+: decrypt: pak is unencrypted but we have a key

TAC+: Unable to decrypt data from SERVER OR NAS.

TAC+: Closing TCP/IP 0x765C2C connection

OR TAC+: CHECK THE KEYS

Also, IOS should take the encrypted key. As fas as I know there is no known issue. make sure that you had the correct encrypted. It should work.

On the IOS, we should service password-encryption available.

Do let me know if you have any query.

HTH

JK

Plz rate helpful posts-

~Jatin

View solution in original post

11 Replies 11

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎10-22-2009 02:33 AM

It seems that router is not able to reach tacacs. Since it is a layer 3 device you need to set up source interface for tacacs.

Ip tacacs source-interface x/y

Where source interface is the one that is listed in acs --> network configuration-->aaa client-->router ip .

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
Mavrick25
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-22-2009 02:59 AM

Hello,

Thank you so much for your response.

We came accross that command as well, in fact it has been already applied.

ip tacacs source-interface Loopback0

When you say that we are not able to reach the tacacs server are you indicating a problem with routing?

The reason I ask is because 1 of the 3 routers work.

If I perfrom the show tacacs command I recieve the following:

Tacacs+ Server :

Socket opens: 370

Socket closes: 370

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 370

Total Packets Recv: 370

No current connection

Tacacs+ Server :

Socket opens: 146

Socket closes: 146

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 2

Failed Connect Attempts: 0

Total Packets Sent: 146

Total Packets Recv: 144

No current connection

This command leads me to believe that it is reachable no?

Mav

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Mavrick25

‎10-22-2009 04:00 AM

Hi Mav,

Looks like that authentication request is not reaching at tacacs that is why you are able to authenticate using local username & password. Since you've already defined "ip tacacs source-interface loopback0" on the router. You need to check the following:

1.] Are you able to ping the tacacs server?

2.] Are you able to telnet into it

router#telnet 49

3.] Do you have the same ip configured on the ACS > network configuration same as loopback0 interface.

4.] make sure that tacacs service is running > Go to system configuration > services control > and look at the bottom tabs.

If all of the above options are correctly configured/work then please help me with the following debugs:

debug aaa authentication

debug tacacs

term mon

Now, try to authenticate again so that we can generate debugs and post it here.

HTH

JK

Plz rate helpful posts-

~Jatin

Go to solution
Mavrick25
Level 1
Level 1
In response to Jatin Katyal

‎10-22-2009 05:31 AM

Thanks for the reply,

1#:

Yes, able to ping the tacacs

2#

Yes, take a look:

#telnet x.x.x.x 49

Trying x.x.x.x, 49 ... Open

3#

Currently verifiying this! Will let you know!

4#

For step number 4, this needs to be done on the server correct? I don't have access to it our system admin does.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Mavrick25

‎10-22-2009 05:44 AM

Hi,

Yes, I can see that you can ping and telnet the tacacs server. You're correct, both [3] and [4] steps can only be verified if we have access to ACS under network configuration and system configuration.

Please first run the debugs and then Also run this command on the router

router#test aaa group tacacs+ legacy

HTH

JK

Plz rate helpful posts-

~Jatin
0 Helpful

Go to solution
Mavrick25
Level 1
Level 1
In response to Jatin Katyal

‎10-22-2009 06:06 AM

I feel like we are getting close and all thanks to you!!

The output is as follows:

#test aaa group tacacs+ <__> <__> legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

PR

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Mavrick25

‎10-22-2009 07:31 AM

Did you check the shared secret key, on ACS NDG key over rites aaa-client key.

Make sure key is not an issue.

Regards,

~JG

Go to solution
Mavrick25
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-22-2009 11:57 PM

I figured out what the problem was, it seems the IOS version that is running on the router didn't like the encrypted key.

when I inserted the non-encrypted version everything worked fine.

Thanks for all your help, sincerly.

Mav

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Mavrick25

‎10-23-2009 04:04 AM

Hi Mav,

Thanks for sharing the solution :)

That is why I asked you to run the debugs. Just wanted to share with you that whenever we have key mis-match issue.

We will see thses kind of debugs:

AUTHEN/START/LOGIN/ASCII queued

TAC+: AUTHEN/START/LOGIN/ASCII processed

TAC+: decrypt: pak is unencrypted but we have a key

TAC+: Unable to decrypt data from SERVER OR NAS.

TAC+: Closing TCP/IP 0x765C2C connection

OR TAC+: CHECK THE KEYS

Also, IOS should take the encrypted key. As fas as I know there is no known issue. make sure that you had the correct encrypted. It should work.

On the IOS, we should service password-encryption available.

Do let me know if you have any query.

HTH

JK

Plz rate helpful posts-

~Jatin

Go to solution
wei-koon.tay
Level 1
Level 1
In response to Mavrick25

‎05-07-2010 03:01 AM

Hi,

May I check with you what do you mean by inserting a non-encrypted key? I'm also seeing the same problem as yours. Please advise.

thanks.

wk

0 Helpful

Go to solution
Oscar Ortiz
Level 1
Level 1
In response to wei-koon.tay

‎09-28-2015 04:58 PM

I have the same dude: hat do you mean by inserting a non-encrypted key?

 

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents