ACS 4.2 unable to receive junos-exec service

Answered Question
Sep 13th, 2010

I've performed the steps exactly following the guide by Cisco (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080af7d1d.shtml) to allow Junos based tacacs+ authorization but I'm strangely getting the 'service denied' problem in my ACS.  I definately have the custom service called 'junos-exec' in my ACS 4.2 for Windows.  I'm trying to allow my Juniper EX switch to perform authentication (working fine) and authorization with the ACS.

09/09/2010,15:51:33,Author failed,test1,Default Group,10.8.100.77,(Default),,Service denied,service=junos-exec,ttyp0,10.8.100.31,,,,,,DF3-DC-SF-RC,,1,winlab,,,,test1,,No,

I will monitor this thread till it is resolved, thanks in advance for any help or advice!

Ivan

I have this problem too.
0 votes
Correct Answer by Yudong Wu about 6 years 2 months ago

Can you check the TCS log to see if Juniper box sent back "protocol=tacacs+"?

If not, you can try to remove "tacacs+" under the protocol in the step 2 of the link which you mentioned. Or check with Juniper to see if they can send "protocol=tacacs+".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Yudong Wu Tue, 09/14/2010 - 10:43

Can you check the TCS log to see if Juniper box sent back "protocol=tacacs+"?

If not, you can try to remove "tacacs+" under the protocol in the step 2 of the link which you mentioned. Or check with Juniper to see if they can send "protocol=tacacs+".

ivantansh Tue, 09/14/2010 - 19:40

Hi Yudong,

It doesn't seem to have sent back the protocol=tacacs+ line.  I will try to remove the tacacs+ as you mentioned when I get access to the juniper switch again.  Looking at the log, should the METHOD be equals to TACACS+ as well?

Thank you for your response and suggestion!

Ivan

________________

TCS 09/09/2010 15:58:28 I 0043 3952 0x0 <<< RECEIVED FROM CLIENT:DF3-DC-SF-RC TYPE=AUTHOR, SEQ=1, FLAGS=1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 SESSIONID 84060054 (0x502a796), DATALEN 48 (0x30)
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 type=AUTHOR, priv_lvl=1, authen=1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 METHOD=none
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 SVC=0 USER_LEN=5 PORT_LEN=5 REM_ADDR_LEN=11 ARG_CNT=1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 USER=test1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 PORT=ttyp0
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 REM_ADDR=10.8.100.77
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 arg[0](size=18)=service=junos-exec
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 END >>>
TCS 09/09/2010 15:58:28 I 0688 4024 0x4 Single Connect thread 0 allocated work
TCS 09/09/2010 15:58:28 I 0143 4024 0x4 Author Data: test1ttyp010.8.100.77service=junos-exec....H...o...p........
TCS 09/09/2010 15:58:28 I 0163 4024 0x4 -- Extracted service info
TCS 09/09/2010 15:58:28 I 0189 4024 0x4 -- Checked NARs
TCS 09/09/2010 15:58:28 I 0199 4024 0x4 -- Set up Reqs:
TCS 09/09/2010 15:58:28 I 0209 4024 0x4 -- Got Profiles
TCS 09/09/2010 15:58:28 I 0261 4024 0x4 -- executed
TCS 09/09/2010 15:58:28 I 0263 4024 0x4 -- command set clean done
TCS 09/09/2010 15:58:28 I 0265 4024 0x4 -- NDG release done
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 <<< PACKET TO CLIENT:DF3-DC-SF-RC TYPE:AUTHOR/FAIL, SEQ 2, FLAGS 1
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 SESSIONID 84060054 (0x502a796), DATALEN 6 (0x6)
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 msg_len=0, data_len=0 arg_cnt=0
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 End >>>

______________

Attachment: 
Yudong Wu Tue, 09/14/2010 - 23:30

I am not sure if Cisco ACS will check "METHOD" parameter. Since ACS is configured both service name "junos-exec" and service portocol "tacacs+", if Junipor box doest not return "portocol=tacacs+", it might cause failed authoriztion.

ivantansh Sat, 09/18/2010 - 03:51

Hi Yudong,

Your suggestion was spot on.  I removed the tacacs+ as you mentioned, ensured the user/group has a new Junos-exec only service without the tacacs+, restarted acs service and it worked.

Before that, I tested using tactest and entered junos-exec and tacacs+ as the argument and it worked too.

Thank you so much for your accurate assistance!

Ivan

Actions

This Discussion

Related Content