cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7165
Views
4
Helpful
18
Replies

Configuring Tacacs+ using CiscoSecure ACS 4.2 on Windows

Ummer_Ishtiaq
Level 1
Level 1

I have installed CiscoSecure ACS 4.2 on Windows.

Can anyone help me setting up the server for Tacacs+.

I am new to Tacacs+.

I have to deploy Tacacs+ on almost 50 switches.

18 Replies 18

integreon
Level 1
Level 1

Hi Ummer,

Here is the Cisco document for Tacacs+ configuration.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml#h

Regards,

Anton

Hi,

Thanks for helping me out, I ve set up switches, infact i know the command of aaa with the switches.

I wanted to know about Tacacs+ Server on Windows, how to configure it ?

Hello,

Refer to the attached documents. Hope this points you into the right direction.

Feel free to share your current AAA configuration commands and we can add any missing details on screenshots for you.

If this was helpful please rate.

Regards.

Thanks for your time and help.

I want to ask something, does Tacacs+ server run on Windows 7 ?

I used these equipments for the basic scenario.

Win 7 - Tacacs+ Server (CiscoSecure ACS 4.2)

Win Xp - a user

Catalyst 3550 Switch

I made a simple setup of making my laptop (Win 7) as Tacacs+ server, connecting it to the switch ethernet port.

Then i connected another (win xp) laptop of same IP class to the switch. Both Laptops were pingable to eachother via switch.

Now i gave these commands on the switch

aaa new-model

tacacs-server host 172.16.11.15 key ummer123

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization config-commands

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

user admin password admin

aaa authentication login console none

Line console 0

login authentication console

I was told to implement above commands as I am new to this.

Now when i telnet my switch from (Win xp) Laptop, it asks Username and Password. But it only accept admin admin as user & pass respectively.

I created users in the Tacacs+ server but i dont think it is communicating.

What could be the fault ? Are my commands correct ?

Plz Reply !

Thanks.

Here is my Switch configuration related to AAA

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login console none

aaa authorization exec default group tacacs+ none

!

aaa session-id common

!

username admin password 0 admin

!

!

no ip http server

no ip http secure-server

!        

tacacs-server host 192.168.32.129 key ummer123

!

line con 0

exec-timeout 0 0

logging synchronous

login authentication console

After Debug aaa authentication and debug tacacs authentication

i got these messages on switch

Mar  1 00:52:45.867: AAA/BIND(0000000F): Bind i/f 

*Mar  1 00:52:45.871: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'default'

*Mar  1 00:52:45.879: TPLUS: Queuing AAA Authentication request 15 for processing

*Mar  1 00:52:45.883: TPLUS: processing authentication start request id 15

*Mar  1 00:52:45.883: TPLUS: Authentication start packet created for 15()

*Mar  1 00:52:45.887: TPLUS: Using server 192.168.32.129

*Mar  1 00:52:45.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: Started 5 sec timeout

R1#end

*Mar  1 00:52:50.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: timed out

*Mar  1 00:52:50.891: TPLUS(0000000F)/0/NB_WAIT/64565BE4: timed out, clean up

*Mar  1 00:52:50.891: TPLUS(0000000F)/0/64565BE4: Processing the reply packet

I think my requests are not going to Tacacs server, whereas ping is successful to that server from switch.

What could be the issue ?

I got the same problem , any solution ?

Ho to add user to ACS ( internal database ) and to use that user on cisco switch .

KR 

VZ

Yes i  add user to ACS , but it dont work . 

 

Can someone write me what all need to be done on acs 4.2 ? 

 

Here is config on cisco :

 

aaa new-model
!
aaa authentication login default local-case group tacacs+
aaa authentication enable default enable
aaa authorization exec default local group tacacs+ none 
aaa authorization commands 15 default group tacacs+ none 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

!

ip tacacs source-interface Vlan20
tacacs-server host 192.168.253.23 key cisco123
tacacs-server directed-request
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input all
line vty 5 15

 

Output i get :

 

1w5d: AAA/AUTHEN/LOGIN (00000052): Pick method list 'default' 
1w5d: AAA/LOCAL/LOGIN(00000052): get user
1w5d: AAA/LOCAL/LOGIN(00000052): user vlada not found
1w5d: AAA/LOCAL/LOGIN(00000052): get password
1w5d: AAA/LOCAL/LOGIN(00000052): failover
Switch#             
1w5d: AAA/ACCT/EXEC(00000051): STOP protocol reply FAIL
1w5d: AAA/ACCT(00000051): Accounting method=NOT_SET
1w5d: AAA/ACCT(00000051): Accounting response status = FAILURE
1w5d: AAA/ACCT(00000051): Send STOP accounting notification to EM failed
1w5d: AAA/ACCT/EXEC(00000051): Tried all the methods, osr 0
1w5d: AAA/ACCT(00000051): del node, session 68
1w5d: AAA/ACCT/EXEC(00000051): free_rec, count 0
1w5d: /AAA/ACCTEXEC(00000051) reccnt 0, csr TRUE, osr 0
1w5d: AAA/ACCT/EXEC(00000051): Last rec in db
Switch#             , intf not enqueued
Switch#             
1w5d: AAA/AUTHEN/LOGIN (00000052): Pick method list 'default' 
1w5d: AAA/LOCAL/LOGIN(00000052): get user
Switch#             
1w5d: AAA/ACCT/EXEC(00000052): Pick method list 'default'
1w5d: AAA/ACCT/SETMLIST(00000052): Handle 0, mlist 036CC3C4, Name default
1w5d: Getting session id for EXEC(00000052) : db=2BC2098
1w5d: AAA/ACCT/EXEC(00000052): add, count 2
1w5d: AAA/ACCT/EVENT/(00000052): EXEC DOWN
1w5d: AAA/ACCT/EXEC(00000052): Accounting record not sent
1w5d: AAA/ACCT/EXEC(00000052): free_rec, count 1
1w5d: /AAA/ACCTEXEC(00000052) reccnt 1, csr FALSE, osr 0
Switch#             
1w5d: unknown AAA/DISC: 9/"NAS Error"
1w5d: unknown AAA/DISC/EXT: 1002/"Unknown"
1w5d: AAA/ACCT/EVENT/(00000052): CALL STOP
1w5d: AAA/ACCT/CALL STOP(00000052): Sending stop requests
1w5d: AAA/ACCT(00000052): Send all stops
1w5d: AAA/ACCT/NET(00000052): STOP
1w5d: AAA/ACCT/NET(00000052): Method list not found
1w5d: AAA/ACCT(00000052): del node, session 69
1w5d: AAA/ACCT/NET(00000052): free_rec, count 0
1w5d: /AAA/ACCTNET(00000052) reccnt 0, csr TRUE, osr 0
1w5d: AAA/ACCT/NET(00000052): Last rec 
Switch#             in db, intf not enqueued
1w5d: AAA/ACCT/EVENT/(0000004E): OUTB_TELNET_STOP
1w5d: (NOACCTREC, AAA) (0000004E) CONN

Can you tell me what error do you on the ACS

 

Under reports and Monitoring

 

ALso use the following command:

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

 

Add the above commands

 

Also make sure that you have added Switch under Network devices and added the same pre shared key.

 

Share the error message which you see on the ACS.

 

 

 

Minakshi

10/09/2014 07:31:25 Authen failed vlada Default Group 10.104.1.1 (Default) External DB user invalid or bad password .. .. tty1 10.104.1.100 .. .. .. .. .. test123 

 

But how external database user ? when under user options dropbox i selected ACS internal database 

 

KR

Is this user member of Default group?? or any other group.

 

Could you add the screen shot of the user information

 

Minakshi(Rate the helpful posts)

Also, Give me the ipadress of the switch and ip address of the interface through which the Tacacs request is going for ex vlan20 that you have mentioned. Just make sure that you add the ipadress of the VLAN20 under network devices> Switch> It can have multiple ipadresses and preshared key needs to be same.

i changed device to be cisco 3650 , also i changed network so now ACS and cisco device are in same network 192.168.253.0/24  

i get on acs 

Date Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device  Network Device Group 
10/10/2014 05:06:06 Authen failed vlada22 Default Group 172.21.1.6 (Default) Users Access Filtered .. .. tty1 192.168.253.25 No Access Filters Passed. .. .. .. .. test123 .. 
10/10/2014 05:06:26 Authen failed vlada22 Default Group 172.21.1.6 (Default) Users Access Filtered .. .. tty1 192.168.253.25 No Access Filters Passed. .. .. .. .. test123 .. 

 

 

from Cisco ;

 

*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): Pick method list 'default'
*Mar  1 00:23:16.711: AAA/ACCT/SETMLIST(00000004): Handle 0, mlist 05600CB0, Name default
*Mar  1 00:23:16.711: Getting session id for EXEC(00000004) : db=535F824
*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): add, count 2
*Mar  1 00:23:16.711: AAA/ACCT/EVENT/(00000004): EXEC DOWN
*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): Accounting record not sent
*Mar  1 00:23:16.711: AAA/ACCT/EXEC(00000004): free_rec, count 1
*Mar  1
sw1_EX-3560LabRS-B# 00:23:16.711: AAA/ACCT/EXEC(00000004) reccnt 1, csr FALSE, osr 0
*Mar  1 00:23:18.716: unknown AAA/DISC: 9/"NAS Error"
*Mar  1 00:23:18.716: unknown AAA/DISC/EXT: 1002/"Unknown"
*Mar  1 00:23:18.716: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar  1 00:23:18.716: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar  1 00:23:18.716: AAA/ACCT(00000004): Send all stops
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): STOP
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): Method list not found
*Mar  1 00:23:1
sw1_EX-3560LabRS-B#8.716: AAA/ACCT(00000004): del node, session 3
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar  1 00:23:18.716: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
sw1_EX-3560LabRS-B#
*Mar  1 00:23:38.480: AAA/ACCT/EVENT/(00000005): CALL START
*Mar  1 00:23:38.480: Getting session id for NET(00000005) : db=535FF14
*Mar  1 00:23:38.480: AAA/ACCT(00000000): add node, session 4
*Mar  1 00:23:38.480: AAA/ACCT/NET(00000005): add, count 1
*Mar  1 00:23:38.480: Getting session id for NONE(00000005) : db=535FF14
sw1_EX-3560LabRS-B#

 

 

 

 

Looks like there NAF configured on either the group level or user level. Due to which you are unable to login.

 

Kindlu check the NAF settings on ACS 4.2 on group as well as user level and change it to permit access.

 

 

Minakshi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: