Solved: TACACS Authentication Not Working

dtom · ‎02-02-2016

We currently have a switch - ms-duncan that has been setup for TACACS and works fine. We put the same command on another switch - sw-SPARE and it does not work:

!
enable secret 5 $1$lyQB$OUFCNrTeluAVeH9R1Grjm0
!
username netadmin privilege 15 secret 5 $1$urJC$LbxLOoBdoG1064QFcjTRe1
username admin privilege 15 secret 5 $1$LGPp$QbOZQ8Ch2kpEj.tLKsp1m/
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
aaa session-id common
!
!
tacacs-server host 10.223.8.29 single-connection key CiscoCisco
tacacs-server directed-request

!

Here is the debug tacacs from ms-duncan:

ms-duncan#
11w5d: TPLUS: Queuing AAA Authentication request 344 for processing
11w5d: TPLUS: processing authentication start request id 344
11w5d: TPLUS: Authentication start packet created for 344(reed.vendor)
11w5d: TPLUS: Using server 10.223.8.29
11w5d: TPLUS(00000158)/0/IDLE/4383A40: got immediate connect on new 0
11w5d: TPLUS(00000158)/0/WRITE/4383A40: Started 5 sec timeout
11w5d: TPLUS(00000158)/0/WRITE: wrote entire 47 bytes request
11w5d: TPLUS(00000158)/0/READ: read entire 12 header bytes (expect 16 bytes)
11w5d: TPLUS(00000158)/0/READ: read entire 28 bytes response
11w5d: TPLUS(00000158)/0/4383A40: Processing the reply packet
11w5d: TPLUS: Received authen response status GET_PASSWORD (8)
11w5d: TPLUS: Queuing AAA Authentication request 344 for processing
11w5d: TPLUS: processing authentication continue request id 344
11w5d: TPLUS: Authentication continue packet generated for 344
11w5d: TPLUS(00000158)/0/WRITE/4383CA8: Started 5 sec timeout
11w5d: TPLUS(00000158)/0/WRITE: wrote entire 25 bytes request
11w5d: TPLUS(00000158)/0/READ: read entire 12 header bytes (expect 6 bytes)
11w5d: TPLUS(00000158)/0/READ: read entire 18 bytes response
11w5d: TPLUS(00000158)/0/4383CA8: Processing the reply packet
11w5d: TPLUS: Received authen response status PASS (2)
11w5d: TPLUS: Queuing AAA Authorization request 344 for processing
11w5d: TPLUS: processing authorization request id 344
11w5d: TPLUS: Protocol set to None .....Skipping
11w5d: TPLUS: Sending AV service=shell
11w5d: TPLUS: Sending AV cmd*
11w5d: TPLUS: Authorization request created for 344(reed.vendor)
11w5d: TPLUS: using previously set server 10.223.8.29 from group tacacs+
11w5d: TPLUS(00000158)/0/IDLE/4384698: got immediate connect on new 0
11w5d: TPLUS(00000158)/0/WRITE/4384698: Started 5 sec timeout
11w5d: TPLUS(00000158)/0/WRITE: wrote entire 66 bytes request
11w5d: TPLUS(00000158)/0/READ: read entire 12 header bytes (expect 18 bytes)
11w5d: TPLUS(00000158)/0/READ: read entire 30 bytes response
11w5d: TPLUS(00000158)/0/4384698: Processing the reply packet
11w5d: TPLUS: Processed AV priv-lvl=15
11w5d: TPLUS: received authorization response for 344: PASS
ms-duncan#

Here is the debug tacacs from sw-SPARE:

sw-SPARE#
Feb 2 17:17:49.477: TPLUS: Queuing AAA Authentication request 42 for processing
Feb 2 17:17:49.477: TPLUS: processing authentication start request id 42
Feb 2 17:17:49.477: TPLUS: Authentication start packet created for 42()
Feb 2 17:17:49.477: TPLUS: Using server 10.223.8.29
Feb 2 17:17:49.482: TPLUS(0000002A)/0/NB_WAIT/452B47C: Started 5 sec timeout
Feb 2 17:17:49.482: TPLUS(0000002A)/0/NB_WAIT: wrote entire 36 bytes request
Feb 2 17:17:49.482: TPLUS: Would block while reading pak header
Feb 2 17:17:49.487: TPLUS(0000002A)/0/452B47C: Processing the reply packet
Feb 2 17:17:58.437: TPLUS: Queuing AAA Authentication request 42 for processing
Feb 2 17:17:58.437: TPLUS: processing authentication start request id 42
Feb 2 17:17:58.437: TPLUS: Authentication start packet created for 42()
Feb 2 17:17:58.437: TPLUS: Using server 10.223.8.29
Feb 2 17:17:58.437: TPLUS(0000002A)/0/NB_WAIT/4165F60: Started 5 sec timeout
Feb 2 17:17:58.437: TPLUS(0000002A)/0/NB_WAIT: wrote entire 36 bytes request
Feb 2 17:17:58.437: TPLUS: Would block while reading pak header
Feb 2 17:17:58.442: TPLUS(0000002A)/0/4165F60: Processing the reply packet
sw-SPARE#

It appears that the problem is there is no username in the Authentication start packet for the sw-SPARE:

Feb 2 17:17:49.477: TPLUS: Authentication start packet created for 42()

What do we need to do to fix this and get TACACS to work on sw-SPARE?

Jatin Katyal · ‎02-03-2016

Can you add another statement to the configuration:

ip tacacs source-interface vlan1

The command is to specify an interface / IP address for all outgoing TACACS+ packets.

~ Jatin

~Jatin

View solution in original post

jj27 · ‎02-02-2016

Is sw-SPARE added as a network device on your TACACS+ server?

dtom · ‎02-02-2016

yes

dtom · ‎02-03-2016

yes

Jatin Katyal · ‎02-02-2016

Can you please replace this command on sw-SPARE

tacacs-server host 10.223.8.29 single-connection key CiscoCisco

With tacacs-server host 10.223.8.29 key CiscoCisco

and test again.

~ Jatin

~Jatin

dtom · ‎02-03-2016

I replaced the command with the one suggested above. The results were the same:

sw-SPARE#
Feb 3 13:33:15.679: TPLUS: Queuing AAA Authentication request 48 for processing
Feb 3 13:33:15.679: TPLUS: processing authentication start request id 48
Feb 3 13:33:15.679: TPLUS: Authentication start packet created for 48()
Feb 3 13:33:15.679: TPLUS: Using server 10.223.8.29
Feb 3 13:33:15.679: TPLUS(00000030)/0/NB_WAIT/43F43A0: Started 5 sec timeout
Feb 3 13:33:15.684: TPLUS(00000030)/0/NB_WAIT: socket event 2
Feb 3 13:33:15.684: TPLUS(00000030)/0/NB_WAIT: wrote entire 36 bytes request
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: socket event 1
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: Would block while reading
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: socket event 1
Feb 3 13:33:15.684: TPLUS(00000030)/0/READ: errno 254
Feb 3 13:33:15.684: TPLUS(00000030)/0/43F43A0: Processing the reply packet
sw-SPARE#

Any other thoughts?

Jatin Katyal · ‎02-03-2016

I guess errno 254 means that tacacs packet is sourced with a different ip address then what you have added on the tacacs server. can you share "show ip int bri" output from the device in question and also what interface / ip address have you configured on Tacacs.

~ Jatin

~Jatin

dtom · ‎02-03-2016

sw-SPARE#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  172.19.4.9      YES NVRAM up                    up
Vlan160                10.249.160.11   YES DHCP   up                    up
Vlan240                10.249.240.11   YES DHCP   up                    up
FastEthernet0          unassigned      YES NVRAM administratively down down
GigabitEthernet1/0/1   unassigned      YES unset down                  down
GigabitEthernet1/0/2   unassigned      YES unset down                  down
GigabitEthernet1/0/3   unassigned      YES unset down                  down
GigabitEthernet1/0/4   unassigned      YES unset down                  down
GigabitEthernet1/0/5   unassigned      YES unset down                  down
GigabitEthernet1/0/6   unassigned      YES unset down                  down
GigabitEthernet1/0/7   unassigned      YES unset down                  down
GigabitEthernet1/0/8   unassigned      YES unset down                  down
GigabitEthernet1/0/9   unassigned      YES unset down                  down
GigabitEthernet1/0/10 unassigned      YES unset down                  down
GigabitEthernet1/0/11 unassigned      YES unset up                    up
GigabitEthernet1/0/12 unassigned      YES unset down                  down
GigabitEthernet1/0/13 unassigned      YES unset down                  down
GigabitEthernet1/0/14 unassigned      YES unset down                  down
GigabitEthernet1/0/15 unassigned      YES unset down                  down
GigabitEthernet1/0/16 unassigned      YES unset down                  down
GigabitEthernet1/0/17 unassigned      YES unset down                  down
GigabitEthernet1/0/18 unassigned      YES unset down                  down
GigabitEthernet1/0/19 unassigned      YES unset down                  down
GigabitEthernet1/0/20 unassigned      YES unset down                  down
GigabitEthernet1/0/21 unassigned      YES unset administratively down down
GigabitEthernet1/0/22 unassigned      YES unset down                  down
GigabitEthernet1/0/23 unassigned      YES unset down                  down
GigabitEthernet1/0/24 unassigned      YES unset up                    up
GigabitEthernet1/0/25 unassigned      YES unset down                  down
GigabitEthernet1/0/26 unassigned      YES unset down                  down
GigabitEthernet1/0/27 unassigned      YES unset down                  down
GigabitEthernet1/0/28 unassigned      YES unset down                  down
sw-SPARE#

TACACS

Network Configuration --> Network Device Group --> Spare Test -->

AAA Client Hostname --> Spare Switch --> AAA Client IP Address --> 172.19.4.9

Jatin Katyal · ‎02-03-2016

Can you add another statement to the configuration:

ip tacacs source-interface vlan1

The command is to specify an interface / IP address for all outgoing TACACS+ packets.

~ Jatin

~Jatin

dtom · ‎02-12-2016

That worked! So, why do you have to specify an interface for the outgoing TACACS packets here? Never had to do that before.

Jatin Katyal · ‎02-12-2016

This command is especially useful in cases where the NAD has many interfaces and you want to ensure that all TACACS+ packets from a particular NAD have the same IP address.

~ Jatin

~Jatin

MaxAvsetsin · ‎04-18-2018

I had some problem too. I received in log and ISE next messages:

Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: Would block while reading
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: socket event 1
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: read 0 bytes
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: socket event 1
Apr 18 06:36:29.639: TPLUS(000001A2)/0/READ: errno 254
Apr 18 06:36:29.639: TPLUS(000001A2)/0/131A1114: Processing the reply packet

Message Text	Failed-Attempt: TACACS+ Request dropped
Failure Reason	13017 Received TACACS+ packet from unknown Network Device or AAA Client

I solved this problem by removing this device on the ISE and created it again.

But usually that occurs when on device config do not have command

ip tacacs source-interface

DavidW · ‎11-14-2018

Thank you. This worked for me.

leoingle · ‎02-14-2023

This worked for me as well. Our would work sometimes and sometimes not. Cant believe I didn't think of this, but it makes perfect sense. ISE is configured with just a single IP from this device, so gotta make sure it all comes from the same IP.