cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14641
Views
0
Helpful
9
Replies

radius-server source-ports 1645-1646

virenderj
Level 1
Level 1

I am configuring TACACS Authentication on Cisco 3550

switch .It has Version 12.2(25)SEA IOS image.

A strange thing is happening, whenver I am enabling

AAA new-model on this switch, and then after enabling

I see ruuning-config . It shows me this

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

no tacacs-server directed-request

tacacs-server key 7 xxxxxx

radius-server source-ports 1645-1646

* included here to hide the specific informations

I dint specified any RADIUS server , why it is showing

me radius-server source-ports 1645-1646 after enabling

AAA New-Model

As soon as i give "no aaa new-model", this parameter

also vanishes. I think this is the only reason I am not able to do tacacs

authentication. Please help !!!!

-Thanks

9 Replies 9

Both of the links that Peter posted are interesting and helpful. I would like to take a slightly different approach in answering your question.

In every version of IOS there are certain commands that get inserted into running-config when a particular feature is activated. It looks like in your version the radius-server source-ports is one of those commands. I do not think it is anything that you should be concerned about.

And I do not believe that having the radius-server source-ports command would prevent TACACS from working. I believe that there is likely to be some fault in your configuration. If you would post the aaa parts of the config then maybe we could see what the problem is.

In my experience configuring aaa some of the common problems include not correctly identifying the TACACS server, not having exactly the same key configured on the Cisco device and the TACACS server, not having connectivity to the TACACS server (can the Cisco device ping the server, and can the server ping the device), or errors in the authentication or authorization prameters specified.

Post some information and we will see what we can do.

HTH

Rick

HTH

Rick

Here is the aaa part of my running config---

aaa new-model

aaa authentication login default group tacacs+ line

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

no tacacs-server directed-request

tacacs-server key 7 *******

radius-server source-ports 1645-1646

!

control-plane

line vty 0 4

password 7 ************

transport input telnet

Please let me know if any other info is required

-Thanks

I do not see any obvious issues in the aaa part of the config, so some additional info is required.

Can you ping from the device to the server(s)?

Can the server(s) ping to the device?

When you attempt to login to the device are you on the console or via telnet?

When you attempt to login to the device do you get a prompt? If so what does the prompt say?

When you attempt to login to the device does the server see an authentication request? You should see some entry in the Failed Attempts report. If there is an entry in the Failed Attempts report what does it indicate is the error code?

It might be helpful to turn on debug tacacs authentication, attempt to login to the device, capture any debug output, and post the output.

HTH

Rick

HTH

Rick

This Switch just works fine except for tacacs, it is acting as a DHCP server too. it is well into production also. Everything works fine on this switch. I can telnet into device from remote network. I usually connect it thru telnet. I have configured a line password for telnet, So when TACACS does not works it prompts for line password for authentication as u can c in aaa config "aaa authentication login default group tacacs+ line "

I had a look into TACACS server , it do not have any falied attempt log for this switch.

What to do now ??

There are a couple of things that I suggest.

First verify that the configuration of tacacs server in the switch is correct.

Second verify that there is correct IP connectivity between the switch and the TACACS server (can the switch ping the tacacs server address, and can the tacacs server ping the switch address)?

If the switch configuration of the server is correct and there is ip connectivity, then I would suggest running debug tacacs authentication and post the output.

HTH

Rick

HTH

Rick

david.mitchell
Level 1
Level 1

Did we ever get a resolution for this one as I am having the same issue.

I have many switches, all authenticating to TACACS bu a new switch that I have added in wont authenticate and I have to login via SSH using the fallback local logins.

I have double checked all my config for AAA and VTY on the switch (6509) and it is identical to the working switch. The only difference being they are on different but similar IOS.

Nothing hitting the ACS logs on the immediate ACS or the Master ACS.

I have debugged aaa authentication and then attemted login using a second SSH session and the output shows that the login promp is being displayed then I enter the password and no further dubug output occurs.

I have Firewalls but they are currently allowing the management subnet through and the working switch is inthe same subnet.

ACS setup on the server is also identical and I have forced replication to the loacl ACS server on-site.

No ACLs preventing anything on the switch

Any help would be much appreciated

False alarm, the attempts were hitting th logs, I just wasn't seeing them at the topof the list as I would have expected due to the hundreds of other entries being added every second, therefore pushed the results I was expecting to see at the top off the page.

Once I could see the log entry I could see a key mismatch.  Went back to the Master ACS and realised I had an addition space at the end of my authentication key.

Removed the space, forced replication and DISCO

Hope this helps any others possible over looking the obvious

Thanks

David

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: