Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6319
Views
0
Helpful
6
Replies

AAA authentication TACACs failed

sdurn
Level 1
Level 1

‎03-16-2010 04:57 AM - edited ‎03-10-2019 05:00 PM

Hi,

I've been configured my device 6506-9 with TACACS+ server authentication:

enable password 7 1414131F5C542638
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs enable
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization network default group tacacs+
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common

!

ip tacacs source-interface Vlan4

!

tacacs-server host 10.4.X.X key 7 1 044A1E030D345F4D080A554745
tacacs-server directed-request
tacacs-server key 7 12081012101E1F072B3874786475
!

interface Vlan4
description Servers
ip address 10.4.X.X 255.255.0.0
no ip redirects
standby 1 ip 10.4.X.X

!

but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

device#  telnet 10.1.1.3
Trying 10.1.1.3 ... Open


User Access Verification

Password:

Thanks!

Labels:
0 Helpful
6 Replies 6

Javier Henderson
Level 4
Level 4

‎03-16-2010 08:02 AM

You have configured the default authentication method to use TACACS+ with a fallback of line password.


Since you are being prompted for the line password, it appears that the router can't contact the TACACS+ server.

Please enable these debugs, recreate the problem and show us the output:

debug aaa authentication

debug tacacs

You will also want to make sure that you can reach the TACACS+ server when sourcing packets from VLAN 4.

0 Helpful

sdurn
Level 1
Level 1
In response to Javier Henderson

‎03-22-2010 10:31 AM

Hi,
from 2 Cat6509 that form the core of the network, I can ping the TACACS  server (from other network equipment, TACACS works without  problems):

Core1 # ping 10.4.2.33
Type escape sequence to abort.
Sending 5, 100-byte  ICMP Echos to 10.4.2.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5  / 5), round-trip min / avg / max = 1/1/4 ms

Core1 # ping
Protocol  [ip]:
Target IP  address: 10.4.2.33
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or  interface: 10.4.1.253
Type  of service [0]:
September  DF bit in IP header? [no]:
Validate reply data? [no]:
Data  pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose  [none]:
Sweep range of  sizes [n]:
Type  escape sequence to abort.
Sending 5, 100-byte ICMP  Echos to 10.4.2.33, timeout is 2 seconds:
Packet sent with a source  address of 10.4.1.253
!!!!!
Success rate is 100 percent (5 / 5), round-trip min / avg /  max = 1/1/4 ms

I completed the debugging that you've recommended (attached file).

Thank you very much for your  reply.

62500-debug TACACs.txt.zip
0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to sdurn

‎03-22-2010 11:09 AM

Make sure ACS have IP address of VLAN 4 listed under aaa-clients.



Regards,

~JG

0 Helpful

sdurn
Level 1
Level 1
In response to Jagdeep Gambhir

‎03-23-2010 03:06 AM

Hi,

The IP management of all  network equipment is in vlan1 with IP range: 10.1.XX/16
The TACACS  server IP is on VLAN 4 with addressing 10.4.XX/16.
In the TACACS server is  allowed the full range of VLAN1 to authenticate, and all network equipment properly do, except the CORE devices...(Cat6509)

Thanks!

0 Helpful

Javier Henderson
Level 4
Level 4
In response to sdurn

‎03-23-2010 07:16 AM

In the debug output we see:

Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT/524FDA08: Started 5 sec timeout
Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT: socket event 2
Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT: wrote entire 51 bytes request
Mar 22 17:14:58: TPLUS(00000061)/0/READ: socket event 1
Mar 22 17:14:58: TPLUS(00000061)/0/READ: Would block while reading
Mar 22 17:14:58: TPLUS(00000061)/0/READ: socket event 1
Mar 22 17:14:58: TPLUS(00000061)/0/READ: errno 254
Mar 22 17:14:58: TPLUS(00000061)/0/524FDA08: Processing the reply packet

That suggests a mismatched TACACS+ shared secret, please check into this.

0 Helpful

dynamitec1
Level 1
Level 1

‎04-17-2013 02:15 PM

I, too, am having issue.

Solutions attempted, but still failed:

1. entered tacacs key again

2. restarted Cisco ACS 5.2 server

3. added "ip tacacs source-interface" command

Here's the original post I created.  I didnt know what to search originally, so created a separate topic/thread.

https://supportforums.cisco.com/thread/2203407

Thank you,

Adam

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents