09-14-2005 12:50 PM
I have a pair of ACS Servers setup. I can setup my 3750's to authenticate to the servers, however I can't get my 6500's to. This is the output from my debugs.
001589: Sep 14 15:16:54: TAC+: Using default tacacs server-group "tacacs+" list.
001590: Sep 14 15:16:54: TAC+: Opening TCP/IP to 10.36.11.30/49 timeout=5
001591: Sep 14 15:16:54: TAC+: Opened TCP/IP handle 0x4525CEF8 to 10.36.11.30/49
001592: Sep 14 15:16:54: TAC+: 10.36.11.30 (1985811061) AUTHEN/START/LOGIN/ASCII queued
001593: Sep 14 15:16:54: TAC+: (1985811061) AUTHEN/START/LOGIN/ASCII processed
001594: Sep 14 15:16:54: TAC+: received bad AUTHEN packet: type = 0, expected 1
001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)
I have checked the config several times. I belive it is correct. Any Idea? HELP!
09-15-2005 05:48 AM
I can send u configs I use that work. Do u need the Router IOS side or Switch SET cmds side. jay.rusek@ps.net
09-15-2005 07:03 AM
Jay,
We need Router IOS.
Thanks very much!
Pete
09-15-2005 09:21 AM
Looking at the last error message I get the feeling that you need to check carefully to verify that you have configured the same key on both devices.
001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)
I have received this error message before and it was in fact an issue with mismatched keys.
HTH
Rick
09-15-2005 12:18 PM
Rick,
I did check the keys and I reset them. I know they match. I do have 3750's running with the same setup, and they work.
Pete
09-15-2005 06:03 PM
Pete
If you are sure that the key on the 6500 is the same as the key defined on the tacacs server for that device then we will look for other explanations.
Do the logs on 10.36.11.30 show the incoming request and how the server responded?
HTH
Rick
12-08-2005 08:38 AM
I have exactly the same problem with two 6509s with IOS 12.2(17d)SXB10. Were you able to resolve this ??
12-10-2005 10:15 AM
If you have the same problem, then I would ask you most of the same questions.
- would you verify that the key value used on the 6500 is exactly the same as the key value used in the authentication server?
- are there log messages on the authentication server? Does the server see the authentication request? and if it does see the request, how does the authentication server think that it responded?
HTH
Rick
12-11-2005 06:41 AM
All,
The problem was resolved by adding this command
"ip tacacs source-interface Loopback0"
Since I have many segments on the 6500 I had to specify the Loopback as the interface to use.
Sorry I didn't post this sooner.
PEte
12-11-2005 01:26 PM
Pete
Thanks for posting back to the forum. I am glad to know that we were able to help. It is useful to know that an issue was resolved and what was done to solve the problem.
I believe that this is a fairly common potential problem when a router has more than one interface that could send the request to TACACS. Unless you do specify the source interface the router will default to using the IP of the outbound interface as the source address in the TACACS request. Since ACS/TACACS can specify only a single address for a requestor the router needs to use the same source address for every request. You found the optimum solution for this situation.
People reading this forum should pay attention to this potential problem and how to resolve it as Pete has discovered.
HTH
Rick
12-12-2005 05:43 AM
I substituted vlan1 in the command since theres no loopback0, and it doesnot work. Any clues?? Here is my complete tacacs config: Can you please post your tacacs config ?
aaa authentication login default group tacacs+ line enable none
aaa authentication login no_tacacs line none
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip tacacs source-interface Vlan1
tacacs-server host 10.177.x.x
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key 7 xxxxx
appreciate your help.
12-12-2005 06:12 AM
I have looked at the part of the config that you posted and I do not see any obvious errors. I do notice the line that specifies:
aaa authentication login no_tacacs line none
and I wonder how you have applied the no_tacacs method of authentication.
I would suggest several things you can do to help troubleshoot this problem.
- you have specified that the switch MSFC use the IP address of VLAN 1 as the source address of its TACACS packets. Can you verify that the TACACS server is configured to process this device at that address?
- can you verify that the key defined on the switch MSFC matches the key defined on the TACACS server?
- can you verify IP connectivity between the switch MSFC and the TACACS server by doing an extended ping on the MSFC? In the extended ping specify the TACACS server as the destination and specify VLAN 1 as the source address.
- can you look in the logs on the TACACS server and verify whether the server sees the authentication request? And if it sees the authentication request how does it think that it responded? (This is perhaps the most crucial part of the troubleshooting procedure that I am suggesting).
If you can do these things we may be much closer to being able to identify the source of your problem.
HTH
Rick
12-12-2005 06:46 AM
to quote you: "Can you verify that the TACACS server is configured to process this device at that address?"
- How do i do that ?? I did not think I need such config. No other switch required such config.
- Key is correct, and is the same as in other switches where it works.
- tacacs server is reachable thru extended ping with source address of vlan1.
- tacacs server 'failed attempts log' has two lines for each attempt:
Bad request from NAS
Authen failed Key Mismatch
- Whats 'bad request' mean ??
- Debug messages point to invalid length of packets.
- the debug shows the messages same as posted in the first message of this conversation.
- This is only happening with my two 6509s that have IOS: s72033-pk9sv-mz.122-17d.SXB10
12-12-2005 07:06 AM
I fixed it !!
tacacs-server key key-value
fixes it. Key-value = '7 encrypted-value' did not work. What works is: key-value = unencrypted value without a 0 before it.
12-12-2005 08:01 AM
I am glad that you fixed the problem. Mismatched key between the MSFC and the server was one of the possibilities that I pointed out.
If your config had key 7 encrypted-value and you fixed it by entering the key as clear-text, would I be correct in assuming that you did a cut and paste from a router that was working to these MSFC?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: