02-02-2016 09:40 AM - edited 03-10-2019 11:26 PM
We currently have a switch - ms-duncan that has been setup for TACACS and works fine. We put the same command on another switch - sw-SPARE and it does not work:
!
enable secret 5 $1$lyQB$OUFCNrTeluAVeH9R1Grjm0
!
username netadmin privilege 15 secret 5 $1$urJC$LbxLOoBdoG1064QFcjTRe1
username admin privilege 15 secret 5 $1$LGPp$QbOZQ8Ch2kpEj.tLKsp1m/
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
aaa session-id common
!
!
tacacs-server host 10.223.8.29 single-connection key CiscoCisco
tacacs-server directed-request
!
Here is the debug tacacs from ms-duncan:
ms-duncan#
11w5d: TPLUS: Queuing AAA Authentication request 344 for processing
11w5d: TPLUS: processing authentication start request id 344
11w5d: TPLUS: Authentication start packet created for 344(reed.vendor)
11w5d: TPLUS: Using server 10.223.8.29
11w5d: TPLUS(00000158)/0/IDLE/4383A40: got immediate connect on new 0
11w5d: TPLUS(00000158)/0/WRITE/4383A40: Started 5 sec timeout
11w5d: TPLUS(00000158)/0/WRITE: wrote entire 47 bytes request
11w5d: TPLUS(00000158)/0/READ: read entire 12 header bytes (expect 16 bytes)
11w5d: TPLUS(00000158)/0/READ: read entire 28 bytes response
11w5d: TPLUS(00000158)/0/4383A40: Processing the reply packet
11w5d: TPLUS: Received authen response status GET_PASSWORD (8)
11w5d: TPLUS: Queuing AAA Authentication request 344 for processing
11w5d: TPLUS: processing authentication continue request id 344
11w5d: TPLUS: Authentication continue packet generated for 344
11w5d: TPLUS(00000158)/0/WRITE/4383CA8: Started 5 sec timeout
11w5d: TPLUS(00000158)/0/WRITE: wrote entire 25 bytes request
11w5d: TPLUS(00000158)/0/READ: read entire 12 header bytes (expect 6 bytes)
11w5d: TPLUS(00000158)/0/READ: read entire 18 bytes response
11w5d: TPLUS(00000158)/0/4383CA8: Processing the reply packet
11w5d: TPLUS: Received authen response status PASS (2)
11w5d: TPLUS: Queuing AAA Authorization request 344 for processing
11w5d: TPLUS: processing authorization request id 344
11w5d: TPLUS: Protocol set to None .....Skipping
11w5d: TPLUS: Sending AV service=shell
11w5d: TPLUS: Sending AV cmd*
11w5d: TPLUS: Authorization request created for 344(reed.vendor)
11w5d: TPLUS: using previously set server 10.223.8.29 from group tacacs+
11w5d: TPLUS(00000158)/0/IDLE/4384698: got immediate connect on new 0
11w5d: TPLUS(00000158)/0/WRITE/4384698: Started 5 sec timeout
11w5d: TPLUS(00000158)/0/WRITE: wrote entire 66 bytes request
11w5d: TPLUS(00000158)/0/READ: read entire 12 header bytes (expect 18 bytes)
11w5d: TPLUS(00000158)/0/READ: read entire 30 bytes response
11w5d: TPLUS(00000158)/0/4384698: Processing the reply packet
11w5d: TPLUS: Processed AV priv-lvl=15
11w5d: TPLUS: received authorization response for 344: PASS
ms-duncan#
Here is the debug tacacs from sw-SPARE:
sw-SPARE#
Feb 2 17:17:49.477: TPLUS: Queuing AAA Authentication request 42 for processing
Feb 2 17:17:49.477: TPLUS: processing authentication start request id 42
Feb 2 17:17:49.477: TPLUS: Authentication start packet created for 42()
Feb 2 17:17:49.477: TPLUS: Using server 10.223.8.29
Feb 2 17:17:49.482: TPLUS(0000002A)/0/NB_WAIT/452B47C: Started 5 sec timeout
Feb 2 17:17:49.482: TPLUS(0000002A)/0/NB_WAIT: wrote entire 36 bytes request
Feb 2 17:17:49.482: TPLUS: Would block while reading pak header
Feb 2 17:17:49.487: TPLUS(0000002A)/0/452B47C: Processing the reply packet
Feb 2 17:17:58.437: TPLUS: Queuing AAA Authentication request 42 for processing
Feb 2 17:17:58.437: TPLUS: processing authentication start request id 42
Feb 2 17:17:58.437: TPLUS: Authentication start packet created for 42()
Feb 2 17:17:58.437: TPLUS: Using server 10.223.8.29
Feb 2 17:17:58.437: TPLUS(0000002A)/0/NB_WAIT/4165F60: Started 5 sec timeout
Feb 2 17:17:58.437: TPLUS(0000002A)/0/NB_WAIT: wrote entire 36 bytes request
Feb 2 17:17:58.437: TPLUS: Would block while reading pak header
Feb 2 17:17:58.442: TPLUS(0000002A)/0/4165F60: Processing the reply packet
sw-SPARE#
It appears that the problem is there is no username in the Authentication start packet for the sw-SPARE:
Feb 2 17:17:49.477: TPLUS: Authentication start packet created for 42()
What do we need to do to fix this and get TACACS to work on sw-SPARE?
Solved! Go to Solution.
02-03-2016 01:25 PM
Can you add another statement to the configuration:
ip tacacs source-interface vlan1
The command is to specify an interface / IP address for all outgoing TACACS+ packets.
~ Jatin
02-02-2016 11:19 AM
Is sw-SPARE added as a network device on your TACACS+ server?
02-02-2016 12:24 PM
yes
02-03-2016 10:31 AM
yes
02-02-2016 11:37 AM
Can you please replace this command on sw-SPARE
tacacs-server host 10.223.8.29 single-connection key CiscoCisco
With tacacs-server host 10.223.8.29 key CiscoCisco
and test again.
~ Jatin
02-03-2016 05:35 AM
I replaced the command with the one suggested above. The results were the same:
sw-SPARE#
Feb 3 13:33:15.679: TPLUS: Queuing AAA Authentication request 48 for processing
Feb 3 13:33:15.679: TPLUS: processing authentication start request id 48
Feb 3 13:33:15.679: TPLUS: Authentication start packet created for 48()
Feb 3 13:33:15.679: TPLUS: Using server 10.223.8.29
Feb 3 13:33:15.679: TPLUS(00000030)/0/NB_WAIT/43F43A0: Started 5 sec timeout
Feb 3 13:33:15.684: TPLUS(00000030)/0/NB_WAIT: socket event 2
Feb 3 13:33:15.684: TPLUS(00000030)/0/NB_WAIT: wrote entire 36 bytes request
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: socket event 1
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: Would block while reading
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: socket event 1
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: errno 254
Feb 3 13:33:15.684: TPLUS(00000030)/0/43F43A0: Processing the reply packet
sw-SPARE#
Any other thoughts?
02-03-2016 06:27 AM
I guess errno 254 means that tacacs packet is sourced with a different ip address then what you have added on the tacacs server. can you share "show ip int bri" output from the device in question and also what interface / ip address have you configured on Tacacs.
~ Jatin
02-03-2016 07:39 AM
sw-SPARE#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Vlan1 172.19.4.9 YES NVRAM up up
Vlan160 10.249.160.11 YES DHCP up up
Vlan240 10.249.240.11 YES DHCP up up
FastEthernet0 unassigned YES NVRAM administratively down down
GigabitEthernet1/0/1 unassigned YES unset down down
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset down down
GigabitEthernet1/0/4 unassigned YES unset down down
GigabitEthernet1/0/5 unassigned YES unset down down
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset down down
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset up up
GigabitEthernet1/0/12 unassigned YES unset down down
GigabitEthernet1/0/13 unassigned YES unset down down
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset down down
GigabitEthernet1/0/16 unassigned YES unset down down
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset down down
GigabitEthernet1/0/19 unassigned YES unset down down
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset administratively down down
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset down down
GigabitEthernet1/0/24 unassigned YES unset up up
GigabitEthernet1/0/25 unassigned YES unset down down
GigabitEthernet1/0/26 unassigned YES unset down down
GigabitEthernet1/0/27 unassigned YES unset down down
GigabitEthernet1/0/28 unassigned YES unset down down
sw-SPARE#
TACACS
Network Configuration --> Network Device Group --> Spare Test -->
AAA Client Hostname --> Spare Switch --> AAA Client IP Address --> 172.19.4.9
02-03-2016 01:25 PM
Can you add another statement to the configuration:
ip tacacs source-interface vlan1
The command is to specify an interface / IP address for all outgoing TACACS+ packets.
~ Jatin
02-12-2016 09:59 AM
That worked! So, why do you have to specify an interface for the outgoing TACACS packets here? Never had to do that before.
02-12-2016 10:38 AM
This command is especially useful in cases where the NAD has many interfaces and you want to ensure that all TACACS+ packets from a particular NAD have the same IP address.
~ Jatin
04-18-2018 12:24 AM
I had some problem too. I received in log and ISE next messages:
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: Would block while reading
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: socket event 1
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: read 0 bytes
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: socket event 1
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: errno 254
Apr 18 06:36:29.639: TPLUS(000001A2)/0/131A1114: Processing the reply packet
Message Text | Failed-Attempt: TACACS+ Request dropped |
Failure Reason | 13017 Received TACACS+ packet from unknown Network Device or AAA Client |
I solved this problem by removing this device on the ISE and created it again.
But usually that occurs when on device config do not have command
ip tacacs source-interface
11-14-2018 04:17 AM
Thank you. This worked for me.
02-14-2023 02:34 PM
This worked for me as well. Our would work sometimes and sometimes not. Cant believe I didn't think of this, but it makes perfect sense. ISE is configured with just a single IP from this device, so gotta make sure it all comes from the same IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide