cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
959
Views
0
Helpful
18
Replies

ACS config

ppellettiere
Level 1
Level 1

I have a pair of ACS Servers setup. I can setup my 3750's to authenticate to the servers, however I can't get my 6500's to. This is the output from my debugs.

001589: Sep 14 15:16:54: TAC+: Using default tacacs server-group "tacacs+" list.

001590: Sep 14 15:16:54: TAC+: Opening TCP/IP to 10.36.11.30/49 timeout=5

001591: Sep 14 15:16:54: TAC+: Opened TCP/IP handle 0x4525CEF8 to 10.36.11.30/49

001592: Sep 14 15:16:54: TAC+: 10.36.11.30 (1985811061) AUTHEN/START/LOGIN/ASCII queued

001593: Sep 14 15:16:54: TAC+: (1985811061) AUTHEN/START/LOGIN/ASCII processed

001594: Sep 14 15:16:54: TAC+: received bad AUTHEN packet: type = 0, expected 1

001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)

I have checked the config several times. I belive it is correct. Any Idea? HELP!

18 Replies 18

rusekj
Level 1
Level 1

I can send u configs I use that work. Do u need the Router IOS side or Switch SET cmds side. jay.rusek@ps.net

Jay,

We need Router IOS.

Thanks very much!

Pete

Looking at the last error message I get the feeling that you need to check carefully to verify that you have configured the same key on both devices.

001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)

I have received this error message before and it was in fact an issue with mismatched keys.

HTH

Rick

HTH

Rick

Rick,

I did check the keys and I reset them. I know they match. I do have 3750's running with the same setup, and they work.

Pete

Pete

If you are sure that the key on the 6500 is the same as the key defined on the tacacs server for that device then we will look for other explanations.

Do the logs on 10.36.11.30 show the incoming request and how the server responded?

HTH

Rick

HTH

Rick

nkhwaja
Level 1
Level 1

I have exactly the same problem with two 6509s with IOS 12.2(17d)SXB10. Were you able to resolve this ??

If you have the same problem, then I would ask you most of the same questions.

- would you verify that the key value used on the 6500 is exactly the same as the key value used in the authentication server?

- are there log messages on the authentication server? Does the server see the authentication request? and if it does see the request, how does the authentication server think that it responded?

HTH

Rick

HTH

Rick

All,

The problem was resolved by adding this command

"ip tacacs source-interface Loopback0"

Since I have many segments on the 6500 I had to specify the Loopback as the interface to use.

Sorry I didn't post this sooner.

PEte

Pete

Thanks for posting back to the forum. I am glad to know that we were able to help. It is useful to know that an issue was resolved and what was done to solve the problem.

I believe that this is a fairly common potential problem when a router has more than one interface that could send the request to TACACS. Unless you do specify the source interface the router will default to using the IP of the outbound interface as the source address in the TACACS request. Since ACS/TACACS can specify only a single address for a requestor the router needs to use the same source address for every request. You found the optimum solution for this situation.

People reading this forum should pay attention to this potential problem and how to resolve it as Pete has discovered.

HTH

Rick

HTH

Rick

I substituted vlan1 in the command since theres no loopback0, and it doesnot work. Any clues?? Here is my complete tacacs config: Can you please post your tacacs config ?

aaa authentication login default group tacacs+ line enable none

aaa authentication login no_tacacs line none

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

ip tacacs source-interface Vlan1

tacacs-server host 10.177.x.x

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key 7 xxxxx

appreciate your help.

I have looked at the part of the config that you posted and I do not see any obvious errors. I do notice the line that specifies:

aaa authentication login no_tacacs line none

and I wonder how you have applied the no_tacacs method of authentication.

I would suggest several things you can do to help troubleshoot this problem.

- you have specified that the switch MSFC use the IP address of VLAN 1 as the source address of its TACACS packets. Can you verify that the TACACS server is configured to process this device at that address?

- can you verify that the key defined on the switch MSFC matches the key defined on the TACACS server?

- can you verify IP connectivity between the switch MSFC and the TACACS server by doing an extended ping on the MSFC? In the extended ping specify the TACACS server as the destination and specify VLAN 1 as the source address.

- can you look in the logs on the TACACS server and verify whether the server sees the authentication request? And if it sees the authentication request how does it think that it responded? (This is perhaps the most crucial part of the troubleshooting procedure that I am suggesting).

If you can do these things we may be much closer to being able to identify the source of your problem.

HTH

Rick

HTH

Rick

to quote you: "Can you verify that the TACACS server is configured to process this device at that address?"

- How do i do that ?? I did not think I need such config. No other switch required such config.

- Key is correct, and is the same as in other switches where it works.

- tacacs server is reachable thru extended ping with source address of vlan1.

- tacacs server 'failed attempts log' has two lines for each attempt:

Bad request from NAS

Authen failed Key Mismatch

- Whats 'bad request' mean ??

- Debug messages point to invalid length of packets.

- the debug shows the messages same as posted in the first message of this conversation.

- This is only happening with my two 6509s that have IOS: s72033-pk9sv-mz.122-17d.SXB10

I fixed it !!

tacacs-server key key-value

fixes it. Key-value = '7 encrypted-value' did not work. What works is: key-value = unencrypted value without a 0 before it.

I am glad that you fixed the problem. Mismatched key between the MSFC and the server was one of the possibilities that I pointed out.

If your config had key 7 encrypted-value and you fixed it by entering the key as clear-text, would I be correct in assuming that you did a cut and paste from a router that was working to these MSFC?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: