Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1333
Views
0
Helpful
5
Replies

After TACACS configured, Authenticate successfully but not able to go in config mode.

ranemilind
Level 1
Level 1

‎09-19-2010 04:15 AM

Hi All,

I Have Cisco 4710 ACE, and configured TACACS on ACE for authentication and accounting. Configuration paste below.

I am able to authenticate with ACS server 5.1 but not able to go in config mode of ACE 4710.

Debug output attached.

Need help on this.

tacacs-server key 7 "wwxfeootjv"

tacacs-server timeout 60

tacacs-server host 128.9.31.70 key 7 "wwxfeootjv"

aaa group server tacacs+ TACACS_Group_Server

  server 128.9.31.70

ntp server 128.9.24.58

aaa authentication login default group TACACS_Group_Server

aaa accounting default group TACACS_Group_Server

Below Logs are coming on Device.

Sep 19 2010 16:35:55 : %ACE-6-302022: Built TCP connection 0x3853a for vlan1000:172.24.24.70/16477 (172.24.24.70/16477) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:35:55 : %ACE-6-302023: Teardown TCP connection 0x3853a for vlan1000:172.24.24.70/16477 (172.24.24.70/16477) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 743 TCP FINs

Sep 19 2010 16:35:58 : %ACE-6-302022: Built TCP connection 0x38570 for vlan1000:172.24.24.70/16480 (172.24.24.70/16480) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:35:58 : %ACE-6-302023: Teardown TCP connection 0x38570 for vlan1000:172.24.24.70/16480 (172.24.24.70/16480) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 742 TCP FINs

Sep 19 2010 16:37:51 : %ACE-6-302022: Built TCP connection 0x38aff for vlan1000:172.24.24.70/16545 (172.24.24.70/16545) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:37:51 : %ACE-6-302023: Teardown TCP connection 0x38aff for vlan1000:172.24.24.70/16545 (172.24.24.70/16545) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 736 TCP FINs

Sep 19 2010 16:38:21 : %ACE-6-302022: Built TCP connection 0x38c9d for vlan1000:172.24.24.70/16559 (172.24.24.70/16559) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:21 : %ACE-6-302022: Built TCP connection 0x38c9f for vlan1000:172.24.24.70/16560 (172.24.24.70/16560) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:21 : %ACE-6-302023: Teardown TCP connection 0x38c9d for vlan1000:172.24.24.70/16559 (172.24.24.70/16559) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 722 TCP FINs

Sep 19 2010 16:38:21 : %ACE-6-302023: Teardown TCP connection 0x38c9f for vlan1000:172.24.24.70/16560 (172.24.24.70/16560) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 788 TCP FINs

Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38ce1 for vlan1000:172.24.24.70/16565 (172.24.24.70/16565) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38cff for vlan1000:172.24.24.70/16566 (172.24.24.70/16566) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38ce1 for vlan1000:172.24.24.70/16565 (172.24.24.70/16565) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 661 TCP FINs

Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38cff for vlan1000:172.24.24.70/16566 (172.24.24.70/16566) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 712 TCP FINs

Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38cf5 for vlan1000:172.24.24.70/16567 (172.24.24.70/16567) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38cf5 for vlan1000:172.24.24.70/16567 (172.24.24.70/16567) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 724 TCP FINs

Sep 19 2010 16:39:41 : %ACE-6-302022: Built TCP connection 0x390a1 for vlan1000:172.24.24.70/3883 (172.24.24.70/3883) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:39:41 : %ACE-6-302023: Teardown TCP connection 0x390a1 for vlan1000:172.24.24.70/3883 (172.24.24.70/3883) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0

0:00 bytes 737 TCP FINs

Sep 19 2010 16:40:20 : %ACE-6-302022: Built TCP connection 0x3929b for vlan1000:172.24.24.70/3902 (172.24.24.70/3902) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:40:20 : %ACE-6-302022: Built TCP connection 0x392ab for vlan1000:172.24.24.70/3903 (172.24.24.70/3903) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:40:20 : %ACE-6-302023: Teardown TCP connection 0x3929b for vlan1000:172.24.24.70/3902 (172.24.24.70/3902) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0

0:00 bytes 722 TCP FINs

Sep 19 2010 16:40:20 : %ACE-6-302023: Teardown TCP connection 0x392ab for vlan1000:172.24.24.70/3903 (172.24.24.70/3903) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0

0:00 bytes 791 TCP FINs

Sep 19 2010 16:45:17 : %ACE-6-302022: Built TCP connection 0x3a127 for vlan1000:172.24.24.70/53389 (172.24.24.70/53389) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:45:17 : %ACE-6-302023: Teardown TCP connection 0x3a127 for vlan1000:172.24.24.70/53389 (172.24.24.70/53389) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 723 TCP FINs

Sep 19 2010 16:46:11 : %ACE-6-302022: Built TCP connection 0x3a3b3 for vlan1000:172.24.24.70/53414 (172.24.24.70/53414) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:11 : %ACE-6-302022: Built TCP connection 0x3a3c3 for vlan1000:172.24.24.70/53415 (172.24.24.70/53415) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:11 : %ACE-6-302023: Teardown TCP connection 0x3a3b3 for vlan1000:172.24.24.70/53414 (172.24.24.70/53414) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 722 TCP FINs

Sep 19 2010 16:46:11 : %ACE-6-302023: Teardown TCP connection 0x3a3c3 for vlan1000:172.24.24.70/53415 (172.24.24.70/53415) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 788 TCP FINs

Sep 19 2010 16:46:23 : %ACE-6-302022: Built TCP connection 0x3a467 for vlan1000:172.24.24.70/53422 (172.24.24.70/53422) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:23 : %ACE-6-302022: Built TCP connection 0x3a469 for vlan1000:172.24.24.70/53423 (172.24.24.70/53423) to vlan1000:128.9.31.70/49 (128.9.31.70/49)

Sep 19 2010 16:46:23 : %ACE-6-302023: Teardown TCP connection 0x3a467 for vlan1000:172.24.24.70/53422 (172.24.24.70/53422) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 661 TCP FINs

Sep 19 2010 16:46:23 : %ACE-6-302023: Teardown TCP connection 0x3a469 for vlan1000:172.24.24.70/53423 (172.24.24.70/53423) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0

:00:00 bytes 712 TCP FINs

Regards

MS.

Labels:
Preview file
42 KB
72267-debug output.txt.zip
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎09-20-2010 12:24 AM

Do a 'show user' after you login and check the "role" thatr you have.

If you're not admin user you can't get in config mode.

Don't forget you need to set the ACS to return the role of the user.

I'm usiing tac_plus and here is the config I need to use :

user=gdufour {
        default service = deny
        pap = cleartext "xxxxx"
        service = exec {
                optional shell:Admin="Admin default-domain"
        }
}

Gilles.

0 Helpful

ranemilind
Level 1
Level 1
In response to Gilles Dufour

‎09-20-2010 01:15 AM

thank you gills for reply. I am using ACS 5.1 Appliance, can you please help for ACS 5.1

I also check AV in this which is not editable.

Thank You

Milind Rane

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to ranemilind

‎09-20-2010 02:44 AM

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787

To configure the TACACS+ role and domain settings on Cisco Secure ACS,  perform the following steps:

Step 1 Go to the Interface Configuration section of the  Cisco Secure ACS HTML interface and access the TACACS+ (Cisco IOS) page.  Perform the following actions:

a. Under the TACACS+ Services  section of the page, the User column or the Group column depending on  your configuration, check the Shell (exec) check  box.

b. Under the Advanced Configuration  Options section of the page, check the Display a  window for each service selected in which you can enter customized  TACACS+ attributes check box.

c. Click Submit.

Step 2 Go to the Advanced Options page of the Interface  Configuration section of the Cisco Secure ACS HTML interface. Perform  the following actions:

a. Check the Per-user  TACACS+/RADIUS Attributes check box.

b. Click Submit.

Step 3 Go to the User Setup section of the Cisco Secure  ACS HTML interface and double-click the name of an existing user that  you want to define a user profile attribute for virtualization. The User  Setup page appears.

Step 4 Under the TACACS+ Settings section of the page,  configure the following settings:

Check the Shell (exec) check box.

Check the Custom  attributes check box.

In the text box under the Custom  attributes, enter the user role and associated domain for a specific  context in the following format:

shell:=  ...

For example, to assign the selected user to the C1 context with the role  ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1  DOMAIN1.

You can also substitute an asterisk (*) for the equals sign (=) as  follows:

shell:*  ...

Use the above shell string if you are also using Cisco IOS command  authorization.

Step 5 Under the Checking This option Will PERMIT all  UNKNOWN Services section of the page, check the Default  (Undefined) Services check box to permit unknown services.

Step 6 Click Submit when you finish  configuring the TACACS+ role and domain settings.

For example, if USER1 is assigned the role ADMIN and the domain  MYDOMAIN1 (where shell:Admin=ADMIN MYDOMAIN1), then one of the following  can occur:

If USER1 logs in through the Admin  context, that user is automatically assigned the Admin role and the  MyDomain1 domain.

If USER1 logs in through a different  context, that user is automatically assigned the default role  (Network-Monitor) and the default domain (default-domain). In this case,  the user profile attribute is not obtained from the TACACS+ server  during authentication.

Gilles.

0 Helpful

ranemilind
Level 1
Level 1
In response to Gilles Dufour

‎09-20-2010 10:20 PM

Hi Gills,

Your below instructions seems to be for ACS 3.1 version not for ACS 5.1 appliance.

But i did changes in required fields.

I Created one more rule in Default Device Admin:

In  which i customized and added:

protocol: tacacs

identity group: Global Admins

NDG:Location:

Compound Conditions: with shell:Admin*Admin default-domain and without shell:Admin*Admin default-domain

Shell Profile:

Command Set

Hit Counts

when i select compound condition with shell:Admin*Admin default-domain then i am not able to authenticate as not seeing hitcount in loggs.

but when select compund condition any then i am able to authenticate but not able to go in config mode as it is showing network monitor user on ACE.

Attached files for your ref.

If you know about ACS 5.1 for this issue please help.

Preview file
42 KB
0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to ranemilind

‎09-21-2010 03:05 AM

There is a bug in ACS 5.1


CSCtd24949    Tacacs authorization failure when authen_type=0


Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents