08-28-2013 11:53 AM - edited 03-10-2019 08:49 PM
Hi,
i have started preparing for my CCNA security, and i was trying to configure AAA using ACS 4.2 on windows server 2003.
I have configured the router to use AAA authentication with ACS server based on the cbtnuggets lab.
I have verified the reachability from ACS server to client router and vice versa and the configuration also.
The problem is i am not able to authenticate using ACS server, the router is using local authentication and i dont why the router is not communicating eith ACS server.
PLZ help.
My router's AAA configuration.
===============================================
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login MY_OWN group tacacs+ local
aaa authorization exec default local
tacacs-server host 192.168.1.25 single-connection key ciscoacs --> (192.168.1.25 is ACS server, the key configured on ACS server is also ciscoacs)
line vty 0 4
login authentication MY_OWN
================================================
I have created a user on ACS server and i believe when i am trying to telnet to this router i should use the username and password configured on ACS server,
when i try using it, authentication fails and moreover if the router is accepting locallly configured user details then i think there is no communication between the router and ACS server else TACACS+ will be used for authentication and if no communication between router and acs server then only it should fall to local user
Please help me out.
Solved! Go to Solution.
08-29-2013 06:41 AM
reports and activity --> passed authentication
reports and activity --> failed attempts
Rating useful replies is more useful than saying "Thank you"
08-28-2013 12:47 PM
Could you please get the following debugs from the router.
debug tacacs
debug aaa authentication
Also, remove the single-connection from the below listed command for now.
tacacs-server host 192.168.1.25 single-connection key ciscoacs
~BR
Jatin Katyal
**Do rate helpful posts**
08-29-2013 12:29 AM
The authorizaiton part I think needs to be modified.
(aaa authorization exec default local) ---> this need to be replaced with
aaa authorization exec MY_OWN groupe tacacs+.
You need to verify form ACS side also in the failed attempts and passed authentication where the user appears and if failing what is the reason of the fail.
Let us know your tacacs+ config on the ACS. You need to allow the shell profile to level 15.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
08-29-2013 12:42 AM
HEllo Syed,
As suggested by JAtin you need to debug tacacs and aaa authentication and moreover you can try to authenticate with the test command which is :-
and you can also go throug the following link whoich might be helpful to you:-
08-29-2013 06:25 AM
This is what I see in the debugs
no tacacs servers defined in group "tacacs+"
Could you please attach the "show run" from the router.
Also, make sure we have tacacs TCP port 49 is open in between ACS and ROUTER.
You may check the same by running the below listed command from the router
telnet 192.168.1.25 49
~BR
Jatin Katyal
**Do rate helpful posts**
08-29-2013 06:30 AM
below is the tacacs config.
R1#
R1#
R1#sh run | in tacacs
aaa authentication login default group tacacs+ local
aaa authentication login MY_OWN group tacacs+ local
aaa authorization exec MY_OWN group tacacs+
ip tacacs source-interface FastEthernet0/0
tacacs-server host 192.168.1.25 key ciscoacs
R1#
08-29-2013 07:09 AM
Dear Jatin,
Actually i had modified my configuration while removing the single connection, thats y the debug was showing no tacacs server.
find below the debug results after configuring the tacacs server.
*Mar 1 00:15:19.091: AAA/BIND(00000004): Bind i/f
*Mar 1 00:15:19.103: AAA/AUTHEN/LOGIN (00000004): Pick method list 'MY_OWN'
*Mar 1 00:15:19.119: TPLUS: Queuing AAA Authentication request 4 for processing
*Mar 1 00:15:19.123: TPLUS: processing authentication start request id 4
*Mar 1 00:15:19.127: TPLUS: Authentication start packet created for 4()
*Mar 1 00:15:19.131: TPLUS: Using server 192.168.1.25
*Mar 1 00:15:19.143: TPLUS(00000004)/0/NB_WAIT/66DF2270: Started 5 sec timeout
*Mar 1 00:15:19.239: TPLUS(00000004)/0/NB_WAIT: socket event 2
*Mar 1 00:15:19.243: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
*Mar 1 00:15:19.247: TPLUS(00000004)/0/READ: socket event 1
*Mar 1 00:15:19.251: TPLUS(00000004)/0/READ: Would block while reading
*Mar 1 00:15:19.343: TPLUS(00000004)/0/READ: socket event 1
*Mar 1 00:15:19.343: TPLUS(00000004)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Mar 1 00:15:19.347: TPLUS(00000004)/0/READ: socket event 1
*Mar 1 00:15:19.351: TPLUS(00000004)/0/READ: read entire 18 bytes response
*Mar 1 00:15:19.351: TPLUS(00000004)/0/66DF2270: Processing the reply packet
*Mar 1 00:15:19.355: TPLUS: received bad AUTHEN packet: length = 6, expected 38363
*Mar 1 00:15:19.359: TPLUS: Invalid AUTHEN packet (check keys).
*Mar 1 00:15:19.359: TPLUS(00000004)/0/REQ_WAIT/66DF2270: timed out
*Mar 1 00:15:19.363: TPLUS: Authentication start packet created for 4()
*Mar 1 00:15:19.367: TPLUS(00000004)/0/REQ_WAIT/66DF2270: timed out, clean up
*Mar 1 00:15:19.371: TPLUS(00000004)/0/66DF2270: Processing the reply packet
R1#
R1#
08-29-2013 05:51 AM
Hi all,
Thank you for your responses.
As advised i have removed the single-connection and configured aaa authorization exec MY_OWN groupe tacacs+.
On ACS i have configured tacacs as the protocol and given the user shell with level 15 privilages.
How can i verify form ACS side the failed attempts and passed authentication .
Below are the requested outputs.
R1#
R1#debu
R1#debug tacac
R1#debug tacacs
TACACS access control debugging is on
R1#debu
R1#debug aaa authen
R1#debug aaa authentication
AAA Authentication debugging is on
R1#
R1#
*Mar 1 00:08:30.855: AAA/BIND(00000005): Bind i/f
*Mar 1 00:08:30.867: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MY_OWN'
*Mar 1 00:08:30.883: TPLUS: Queuing AAA Authentication request 5 for processing
*Mar 1 00:08:30.891: TPLUS: processing authentication start request id 5
*Mar 1 00:08:30.895: TPLUS: Authentication start packet created for 5()
R1#
*Mar 1 00:08:43.391: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MY_OWN'
*Mar 1 00:08:43.395: TPLUS: Queuing AAA Authentication request 5 for processing
*Mar 1 00:08:43.403: TPLUS: processing authentication start request id 5
*Mar 1 00:08:43.407: TPLUS: Authentication start packet created for 5()
R1#
*Mar 1 00:09:01.675: AAA/BIND(00000006): Bind i/f
*Mar 1 00:09:01.687: AAA/AUTHEN/LOGIN (00000006): Pick method list 'MY_OWN'
*Mar 1 00:09:01.703: TPLUS: Queuing AAA Authentication request 6 for processing
*Mar 1 00:09:01.715: TPLUS: processing authentication start request id 6
*Mar 1 00:09:01.719: TPLUS: Authentication start packet created for 6()
R1#
*Mar 1 00:09:14.403: AAA/AUTHEN/LOGIN (00000006): Pick method list 'MY_OWN'
*Mar 1 00:09:14.411: TPLUS: Queuing AAA Authentication request 6 for processing
*Mar 1 00:09:14.419: TPLUS: processing authentication start request id 6
*Mar 1 00:09:14.419: TPLUS: Authentication start packet created for 6()
R1#
Nothing happens after this, authentication fails.
R1#test aaa group tacacs+ uid pwd legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
R1#
*Mar 1 00:13:10.431: AAA: parse name=
*Mar 1 00:13:10.435: AAA/MEMORY: create_user (0x66B2E600) user='uid' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Mar 1 00:13:10.439: TAC+: send AUTHEN/START packet ver=192 id=1729942639
*Mar 1 00:13:10.443: TAC+: no tacacs servers defined in group "tacacs+"
*Mar 1 00:13:10.447: AAA/MEMORY: free_user (0x66B2E600) user='uid' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
R1#
R1#
08-29-2013 06:41 AM
reports and activity --> passed authentication
reports and activity --> failed attempts
Rating useful replies is more useful than saying "Thank you"
08-29-2013 07:11 AM
Dear Amjad,
Thank you for guding me how to check the logs in ACS server.
When i checked the failed attempts it shows key mismatch. but i am sure that i have configured same keys on router and server.
i don know why i am getting this "key mismatch"
08-29-2013 07:35 AM
Dear Amjad,
Kindly help out in deleting a AAA server from ACS.
i dont find any option to delete the AAA server ( i believe this might solve my problem)
08-29-2013 07:21 AM
Just to be sure, i have reconfigured the keys both on ACS and on router but still the same error on debug.
how to proceed from here.
08-29-2013 07:38 AM
Make sure you have same key on AAA client and Network device group, the router is a part of.
~BR
Jatin Katyal
**Do rate helpful posts**
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: