Configuring Tacacs+ using CiscoSecure ACS 4.2 on Windows

Unanswered Question
Jan 30th, 2012
User Badges:

I have installed CiscoSecure ACS 4.2 on Windows.

Can anyone help me setting up the server for Tacacs+.

I am new to Tacacs+.

I have to deploy Tacacs+ on almost 50 switches.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Ummer_Ishtiaq Tue, 01/31/2012 - 17:12
User Badges:

Hi,


Thanks for helping me out, I ve set up switches, infact i know the command of aaa with the switches.


I wanted to know about Tacacs+ Server on Windows, how to configure it ?

camejia Wed, 02/01/2012 - 12:51
User Badges:
  • Silver, 250 points or more

Hello,


Refer to the attached documents. Hope this points you into the right direction.


Feel free to share your current AAA configuration commands and we can add any missing details on screenshots for you.


If this was helpful please rate.


Regards.

Ummer_Ishtiaq Wed, 02/01/2012 - 17:37
User Badges:

Thanks for your time and help.


I want to ask something, does Tacacs+ server run on Windows 7 ?


I used these equipments for the basic scenario.


Win 7 - Tacacs+ Server (CiscoSecure ACS 4.2)

Win Xp - a user

Catalyst 3550 Switch


I made a simple setup of making my laptop (Win 7) as Tacacs+ server, connecting it to the switch ethernet port.

Then i connected another (win xp) laptop of same IP class to the switch. Both Laptops were pingable to eachother via switch.


Now i gave these commands on the switch


aaa new-model

tacacs-server host 172.16.11.15 key ummer123

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization config-commands

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

user admin password admin

aaa authentication login console none

Line console 0

login authentication console



I was told to implement above commands as I am new to this.

Now when i telnet my switch from (Win xp) Laptop, it asks Username and Password. But it only accept admin admin as user & pass respectively.


I created users in the Tacacs+ server but i dont think it is communicating.

What could be the fault ? Are my commands correct ?


Plz Reply !

Thanks.

Ummer_Ishtiaq Thu, 02/02/2012 - 16:07
User Badges:

Here is my Switch configuration related to AAA


aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login console none

aaa authorization exec default group tacacs+ none

!

aaa session-id common

!

username admin password 0 admin

!

!

no ip http server

no ip http secure-server

!        

tacacs-server host 192.168.32.129 key ummer123

!

line con 0

exec-timeout 0 0

logging synchronous

login authentication console



After Debug aaa authentication and debug tacacs authentication

i got these messages on switch



Mar  1 00:52:45.867: AAA/BIND(0000000F): Bind i/f 

*Mar  1 00:52:45.871: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'default'

*Mar  1 00:52:45.879: TPLUS: Queuing AAA Authentication request 15 for processing

*Mar  1 00:52:45.883: TPLUS: processing authentication start request id 15

*Mar  1 00:52:45.883: TPLUS: Authentication start packet created for 15()

*Mar  1 00:52:45.887: TPLUS: Using server 192.168.32.129

*Mar  1 00:52:45.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: Started 5 sec timeout

R1#end

*Mar  1 00:52:50.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: timed out

*Mar  1 00:52:50.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: timed out, clean up

*Mar  1 00:52:50.891: TPLUS(0000000F)/0/64565BE4: Processing the reply packet



I think my requests are not going to Tacacs server, whereas ping is successful to that server from switch.

What could be the issue ?

startx001 Thu, 10/09/2014 - 03:50
User Badges:

I got the same problem , any solution ?

Ho to add user to ACS ( internal database ) and to use that user on cisco switch .

KR 

VZ

startx001 Thu, 10/09/2014 - 07:05
User Badges:

Yes i  add user to ACS , but it dont work . 

 

Can someone write me what all need to be done on acs 4.2 ? 

 

Here is config on cisco :

 

aaa new-model
!
aaa authentication login default local-case group tacacs+
aaa authentication enable default enable
aaa authorization exec default local group tacacs+ none 
aaa authorization commands 15 default group tacacs+ none 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

!

ip tacacs source-interface Vlan20
tacacs-server host 192.168.253.23 key cisco123
tacacs-server directed-request
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input all
line vty 5 15

 

startx001 Thu, 10/09/2014 - 07:09
User Badges:

Output i get :

 

1w5d: AAA/AUTHEN/LOGIN (00000052): Pick method list 'default' 
1w5d: AAA/LOCAL/LOGIN(00000052): get user
1w5d: AAA/LOCAL/LOGIN(00000052): user vlada not found
1w5d: AAA/LOCAL/LOGIN(00000052): get password
1w5d: AAA/LOCAL/LOGIN(00000052): failover
Switch#             
1w5d: AAA/ACCT/EXEC(00000051): STOP protocol reply FAIL
1w5d: AAA/ACCT(00000051): Accounting method=NOT_SET
1w5d: AAA/ACCT(00000051): Accounting response status = FAILURE
1w5d: AAA/ACCT(00000051): Send STOP accounting notification to EM failed
1w5d: AAA/ACCT/EXEC(00000051): Tried all the methods, osr 0
1w5d: AAA/ACCT(00000051): del node, session 68
1w5d: AAA/ACCT/EXEC(00000051): free_rec, count 0
1w5d: /AAA/ACCTEXEC(00000051) reccnt 0, csr TRUE, osr 0
1w5d: AAA/ACCT/EXEC(00000051): Last rec in db
Switch#             , intf not enqueued
Switch#             
1w5d: AAA/AUTHEN/LOGIN (00000052): Pick method list 'default' 
1w5d: AAA/LOCAL/LOGIN(00000052): get user
Switch#             
1w5d: AAA/ACCT/EXEC(00000052): Pick method list 'default'
1w5d: AAA/ACCT/SETMLIST(00000052): Handle 0, mlist 036CC3C4, Name default
1w5d: Getting session id for EXEC(00000052) : db=2BC2098
1w5d: AAA/ACCT/EXEC(00000052): add, count 2
1w5d: AAA/ACCT/EVENT/(00000052): EXEC DOWN
1w5d: AAA/ACCT/EXEC(00000052): Accounting record not sent
1w5d: AAA/ACCT/EXEC(00000052): free_rec, count 1
1w5d: /AAA/ACCTEXEC(00000052) reccnt 1, csr FALSE, osr 0
Switch#             
1w5d: unknown AAA/DISC: 9/"NAS Error"
1w5d: unknown AAA/DISC/EXT: 1002/"Unknown"
1w5d: AAA/ACCT/EVENT/(00000052): CALL STOP
1w5d: AAA/ACCT/CALL STOP(00000052): Sending stop requests
1w5d: AAA/ACCT(00000052): Send all stops
1w5d: AAA/ACCT/NET(00000052): STOP
1w5d: AAA/ACCT/NET(00000052): Method list not found
1w5d: AAA/ACCT(00000052): del node, session 69
1w5d: AAA/ACCT/NET(00000052): free_rec, count 0
1w5d: /AAA/ACCTNET(00000052) reccnt 0, csr TRUE, osr 0
1w5d: AAA/ACCT/NET(00000052): Last rec 
Switch#             in db, intf not enqueued
1w5d: AAA/ACCT/EVENT/(0000004E): OUTB_TELNET_STOP
1w5d: (NOACCTREC, AAA) (0000004E) CONN

Can you tell me what error do you on the ACS

 

Under reports and Monitoring

 

ALso use the following command:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

 

Add the above commands

 

Also make sure that you have added Switch under Network devices and added the same pre shared key.

 

Share the error message which you see on the ACS.

 

 

 

Minakshi

startx001 Thu, 10/09/2014 - 08:05
User Badges:

10/09/2014 07:31:25 Authen failed vlada Default Group 10.104.1.1 (Default) External DB user invalid or bad password .. .. tty1 10.104.1.100 .. .. .. .. .. test123 

 

But how external database user ? when under user options dropbox i selected ACS internal database 

 

KR

Also, Give me the ipadress of the switch and ip address of the interface through which the Tacacs request is going for ex vlan20 that you have mentioned. Just make sure that you add the ipadress of the VLAN20 under network devices> Switch> It can have multiple ipadresses and preshared key needs to be same.
startx001 Fri, 10/10/2014 - 05:15
User Badges:

i changed device to be cisco 3650 , also i changed network so now ACS and cisco device are in same network 192.168.253.0/24  

i get on acs 

Date Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device  Network Device Group 
10/10/2014 05:06:06 Authen failed vlada22 Default Group 172.21.1.6 (Default) Users Access Filtered .. .. tty1 192.168.253.25 No Access Filters Passed. .. .. .. .. test123 .. 
10/10/2014 05:06:26 Authen failed vlada22 Default Group 172.21.1.6 (Default) Users Access Filtered .. .. tty1 192.168.253.25 No Access Filters Passed. .. .. .. .. test123 .. 

 

 

from Cisco ;

 

*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): Pick method list 'default'
*Mar  1 00:23:16.711: AAA/ACCT/SETMLIST(00000004): Handle 0, mlist 05600CB0, Name default
*Mar  1 00:23:16.711: Getting session id for EXEC(00000004) : db=535F824
*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): add, count 2
*Mar  1 00:23:16.711: AAA/ACCT/EVENT/(00000004): EXEC DOWN
*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): Accounting record not sent
*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): free_rec, count 1
*Mar  1
sw1_EX-3560LabRS-B# 00:23:16.711: AAA/ACCT/EXEC(00000004) reccnt 1, csr FALSE, osr 0
*Mar  1 00:23:18.716: unknown AAA/DISC: 9/"NAS Error"
*Mar  1 00:23:18.716: unknown AAA/DISC/EXT: 1002/"Unknown"
*Mar  1 00:23:18.716: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar  1 00:23:18.716: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar  1 00:23:18.716: AAA/ACCT(00000004): Send all stops
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): STOP
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): Method list not found
*Mar  1 00:23:1
sw1_EX-3560LabRS-B#8.716: AAA/ACCT(00000004): del node, session 3
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
sw1_EX-3560LabRS-B#
*Mar  1 00:23:38.480: AAA/ACCT/EVENT/(00000005): CALL START
*Mar  1 00:23:38.480: Getting session id for NET(00000005) : db=535FF14
*Mar  1 00:23:38.480: AAA/ACCT(00000000): add node, session 4
*Mar  1 00:23:38.480: AAA/ACCT/NET(00000005): add, count 1
*Mar  1 00:23:38.480: Getting session id for NONE(00000005) : db=535FF14
sw1_EX-3560LabRS-B#

 

 

 

 

Attachment: 
startx001 Tue, 10/21/2014 - 04:33
User Badges:

Hi ,

I maked 4.2 to work.

 

Now regarding 5.5 i will put in on VMware , can i have two machines , some HA replication with same license  ?

One active , one standby , some database replication on day base level ? or similar ?

Can i use same license ?

 I bought from Cisco :

 

CSACS-5.5-VM-UP-K9
 
CSACS-5-BASE-LIC
L-CSACS-5-LRG-LIC=

 

KR

rob.lemaster Thu, 04/26/2012 - 16:55
User Badges:

ACS 4.2 is old.. End of life and end of support. Maybe an installation CD fell into your lap and are giving it a shot.. If you are doing it for your CCSP, fine, but if you are deploying in a production network, you should buy ACS 5+ which runs on an appliance running CentOS. It's pretty good. The policy engine is much better, the interface is better, the system is more stable, etc. You will not be able to upgrade from 4.2 to 5+, so your better biting the bullet and starting with the system that is currently supported.

duleeppillai Fri, 04/27/2012 - 10:11
User Badges:

If you are trying to run tacacs on windows, there is a free version from tacacs.net. Very easy to configure and I would suggest to give a try.

Actions

This Discussion

Related Content