LMS 4 and ACS 5 authentication issue

Answered Question
Apr 6th, 2012

Hi,

I have upgraded the configuration of about 650 Cisco devices (catalyst switches, routers, ASA, VGxxx, etc.) so as to integrate a new AAA server (Cisco ACS 5.3). This AAA server is bound with an Active Directory Server (MS Windows Server 2008 R2) for user authentication (only for admin purpose not for network access).

Before this upgrade, the AAA server was Cisco ACS 4.1 (not bound to the Active Directory Server). Cisco devices are managed

with a Cisco LMS 4.01 server. I modified the Network Level Login Credentials of the full privileged user of LMS because any caracters of the password were not accepted by AD. Therefore, in order to maintain the telnet connection availibility beetween the LMS server and the network devices, I had also to upgrade the appropriate device credentials in DCR. Finally I got the following issue when performing the credential verification : telnet incorrect !

When performing direct telnet connection with TeraTerm, I can reach the device and the user authentication is well performed by the ACS server and the AD server. Log files on the ACS 5.3 server show the accepted connection, the initiator and the tarjet device.

But when LMS sends a telnet connection on to the same device (through a credential verification job), the ACS 5.3 does not receive the authentication inquiry (nothing in the tacacs+ log file). When performing AAA authentication debugging on the switch, the bind message repeats many times with no following authorization message (as requested also in debug).

004696: Apr  6 12:46:34: AAA/BIND(0000069F): Bind i/f

004697: Apr  6 12:46:34: AAA/AUTHEN/LOGIN (0000069F): Pick method list 'default'

586546: Apr  6 10:19:10: AAA/BIND(0000046C): Bind i/f

586547: Apr  6 10:19:10: AAA/AUTHEN/LOGIN (0000046C): Pick method list 'default'

I reversed to the initial configuration of the switch (with ACS 4.1 as AAA server, not bound to AD) and performed a test with the same LMS server (with reversed credential data). The credential verification job is successful and the debug mode of AAA shows a correct negotiation beetween the switch and its ACS server :

586546: Apr  6 10:19:10: AAA/BIND(0000046C): Bind i/f
586547: Apr  6 10:19:10: AAA/AUTHEN/LOGIN (0000046C): Pick method list 'default'
A22SG14.123#
586548: Apr  6 10:19:11: AAA/AUTHOR (0x46C): Pick method list 'default'
586549: Apr  6 10:19:11: AAA/AUTHOR/EXEC(0000046C): processing AV cmd=
586550: Apr  6 10:19:11: AAA/AUTHOR/EXEC(0000046C): processing AV priv-lvl=15
586551: Apr  6 10:19:11: AAA/AUTHOR/EXEC(0000046C): Authorization successful
A22SG14.123#

Indeed the ACS 4.1 authentication log file lists the successfull connection of the LMS server to the switch.

In the two cases I exported the device credentials to a csv file to check the availability of each.

So, how to explain why a telnet session initiated by a terminal, can connect in both cases (ACS 4.1 ans ACS 5.3) to the switch and a telnet session coming from a LMS job can only connect to the ACS 4.1 server? When the switch "sees" an incoming telnet session request from everywhere, it must send it to the AAA server specified for authentication. I do not anderstand why the request from LMS is not sent to ACS (no record in log file, even according authentication deny ...).

Thanks to any suggestion,

Regards,

BL

I have this problem too.
0 votes
Correct Answer by Vinod Arya about 2 years 1 week ago

Good to know it worked. I forgot to mention that the prompt should be copied exactly and is case sensitive as well.

Though you can have multiple prompts as well with comma separation. What i recommend usually ot try to telnet the device via command prompt/Putty and copy it from there directly.

You can close this thread if the issue is resolved.

-Thanks

Vinod

Correct Answer by Vinod Arya about 2 years 1 week ago

Usually it is essential to configure the $NMSROOT\objects\cmf\data\TacacsPrompts.ini file. As with tacacs+ Auth you can also define custom login username and password prompt, hence this file is important to be configured, only in case of Telnet not SSH.

So just check the login prompt you get in your device when you try to do telnet and mention the same in you

TacacsPrompts.ini file.

Example:

>Following is the content of TacacsPrompts.ini :

[TELNET]

USERNAME_PROMPT=

PASSWORD_PROMPT=

> Following is the username and pasword propmt for my device :

> As per this please modify the file as :

[TELNET]

USERNAME_PROMPT=Username:

PASSWORD_PROMPT=Password:

Just save and try to run the job again for failing device.

-Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
Vinod Arya Fri, 04/06/2012 - 11:58

Usually it is essential to configure the $NMSROOT\objects\cmf\data\TacacsPrompts.ini file. As with tacacs+ Auth you can also define custom login username and password prompt, hence this file is important to be configured, only in case of Telnet not SSH.

So just check the login prompt you get in your device when you try to do telnet and mention the same in you

TacacsPrompts.ini file.

Example:

>Following is the content of TacacsPrompts.ini :

[TELNET]

USERNAME_PROMPT=

PASSWORD_PROMPT=

> Following is the username and pasword propmt for my device :

> As per this please modify the file as :

[TELNET]

USERNAME_PROMPT=Username:

PASSWORD_PROMPT=Password:

Just save and try to run the job again for failing device.

-Thanks

Celtec@DSI Tue, 04/10/2012 - 00:00

Hi,

Many thanks to your help.

It works fine now !

Indeed I first tried to modify this file with "upercase" username, password parameters, but I forgot to add the colon signs.

Because it wasn't successful, I reversed to default TacacsPrompt.ini file.

With your indication I tried with Username:, Password: parameters, but it was also unsuccessful.

Finally, the right solution (for my case) was username: , password: with lowercase. It is because when you telnet under ACS 5.x authentication, you get a username, password mask (with lowercase). With ACS 4.x you get Username, Password (with upercase).

So thank you to your helpful advice!

Best Regards,

BL

Correct Answer
Vinod Arya Tue, 04/10/2012 - 00:13

Good to know it worked. I forgot to mention that the prompt should be copied exactly and is case sensitive as well.

Though you can have multiple prompts as well with comma separation. What i recommend usually ot try to telnet the device via command prompt/Putty and copy it from there directly.

You can close this thread if the issue is resolved.

-Thanks

Vinod

Actions

Login or Register to take actions

This Discussion

Posted April 6, 2012 at 6:04 AM
Stats:
Replies:3 Avg. Rating:5
Views:690 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard