Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4035
Views
10
Helpful
5
Replies

ACS 4.2 unable to receive junos-exec service

Go to solution
ivantansh
Level 1
Level 1

‎09-13-2010 07:14 PM - edited ‎03-10-2019 05:24 PM

I've performed the steps exactly following the guide by Cisco (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080af7d1d.shtml) to allow Junos based tacacs+ authorization but I'm strangely getting the 'service denied' problem in my ACS.  I definately have the custom service called 'junos-exec' in my ACS 4.2 for Windows.  I'm trying to allow my Juniper EX switch to perform authentication (working fine) and authorization with the ACS.

09/09/2010,15:51:33,Author failed,test1,Default Group,10.8.100.77,(Default),,Service denied,service=junos-exec,ttyp0,10.8.100.31,,,,,,DF3-DC-SF-RC,,1,winlab,,,,test1,,No,

I will monitor this thread till it is resolved, thanks in advance for any help or advice!

Ivan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎09-14-2010 10:43 AM

Can you check the TCS log to see if Juniper box sent back "protocol=tacacs+"?

If not, you can try to remove "tacacs+" under the protocol in the step 2 of the link which you mentioned. Or check with Juniper to see if they can send "protocol=tacacs+".

View solution in original post

5 Replies 5

Go to solution
Yudong Wu
Level 7
Level 7

‎09-14-2010 10:43 AM

Can you check the TCS log to see if Juniper box sent back "protocol=tacacs+"?

If not, you can try to remove "tacacs+" under the protocol in the step 2 of the link which you mentioned. Or check with Juniper to see if they can send "protocol=tacacs+".

Go to solution
ivantansh
Level 1
Level 1
In response to Yudong Wu

‎09-14-2010 07:40 PM

Hi Yudong,

It doesn't seem to have sent back the protocol=tacacs+ line.  I will try to remove the tacacs+ as you mentioned when I get access to the juniper switch again.  Looking at the log, should the METHOD be equals to TACACS+ as well?

Thank you for your response and suggestion!

Ivan

________________

TCS 09/09/2010 15:58:28 I 0043 3952 0x0 <<< RECEIVED FROM CLIENT:DF3-DC-SF-RC TYPE=AUTHOR, SEQ=1, FLAGS=1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 SESSIONID 84060054 (0x502a796), DATALEN 48 (0x30)
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 type=AUTHOR, priv_lvl=1, authen=1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 METHOD=none
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 SVC=0 USER_LEN=5 PORT_LEN=5 REM_ADDR_LEN=11 ARG_CNT=1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 USER=test1
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 PORT=ttyp0
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 REM_ADDR=10.8.100.77
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 arg[0](size=18)=service=junos-exec
TCS 09/09/2010 15:58:28 I 0043 3952 0x0 END >>>
TCS 09/09/2010 15:58:28 I 0688 4024 0x4 Single Connect thread 0 allocated work
TCS 09/09/2010 15:58:28 I 0143 4024 0x4 Author Data: test1ttyp010.8.100.77service=junos-exec....H...o...p........
TCS 09/09/2010 15:58:28 I 0163 4024 0x4 -- Extracted service info
TCS 09/09/2010 15:58:28 I 0189 4024 0x4 -- Checked NARs
TCS 09/09/2010 15:58:28 I 0199 4024 0x4 -- Set up Reqs:
TCS 09/09/2010 15:58:28 I 0209 4024 0x4 -- Got Profiles
TCS 09/09/2010 15:58:28 I 0261 4024 0x4 -- executed
TCS 09/09/2010 15:58:28 I 0263 4024 0x4 -- command set clean done
TCS 09/09/2010 15:58:28 I 0265 4024 0x4 -- NDG release done
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 <<< PACKET TO CLIENT:DF3-DC-SF-RC TYPE:AUTHOR/FAIL, SEQ 2, FLAGS 1
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 SESSIONID 84060054 (0x502a796), DATALEN 6 (0x6)
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 type=AUTHOR/REPLY status=16 (AUTHOR/FAIL)
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 msg_len=0, data_len=0 arg_cnt=0
TCS 09/09/2010 15:58:28 I 0043 4024 0x4 End >>>

______________

72129-TCS.log.zip
0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to ivantansh

‎09-14-2010 11:30 PM

I am not sure if Cisco ACS will check "METHOD" parameter. Since ACS is configured both service name "junos-exec" and service portocol "tacacs+", if Junipor box doest not return "portocol=tacacs+", it might cause failed authoriztion.

Go to solution
ivantansh
Level 1
Level 1
In response to Yudong Wu

‎09-18-2010 03:51 AM

Hi Yudong,

Your suggestion was spot on.  I removed the tacacs+ as you mentioned, ensured the user/group has a new Junos-exec only service without the tacacs+, restarted acs service and it worked.

Before that, I tested using tactest and entered junos-exec and tacacs+ as the argument and it worked too.

Thank you so much for your accurate assistance!

Ivan

0 Helpful

Go to solution
manish_daryani
Level 1
Level 1
In response to ivantansh

‎06-14-2018 12:13 AM

HI,

i am facing the same issue. Can someone guide me what changes are required in ACS and juniper device?

Thanks in advance.

Regards,

Manish Daryani

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents