Solved: ACS server configuration on windows server

syed musaib mujtaba · ‎08-28-2013

Hi,

i have started preparing for my CCNA security, and i was trying to configure AAA using ACS 4.2 on windows server 2003.

I have configured the router to use AAA authentication with ACS server based on the cbtnuggets lab.

I have verified the reachability from ACS server to client router and vice versa and the configuration also.

The problem is i am not able to authenticate using ACS server, the router is using local authentication and i dont why the router is not communicating eith ACS server.

PLZ help.

My router's AAA configuration.

===============================================

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login MY_OWN group tacacs+ local
aaa authorization exec default local

tacacs-server host 192.168.1.25 single-connection key ciscoacs --> (192.168.1.25 is ACS server, the key configured on ACS server is also ciscoacs)

line vty 0 4
login authentication MY_OWN

================================================

I have created a user on ACS server and i believe when i am trying to telnet to this router i should use the username and password configured on ACS server,

when i try using it, authentication fails and moreover if the router is accepting locallly configured user details then i think there is no communication between the router and ACS server else TACACS+ will be used for authentication and if no communication between router and acs server then only it should fall to local user

Please help me out.

Amjad Abdullah · ‎08-29-2013

reports and activity --> passed authentication

reports and activity --> failed attempts

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Jatin Katyal · ‎08-28-2013

Could you please get the following debugs from the router.

debug tacacs

debug aaa authentication

Also, remove the single-connection from the below listed command for now.

tacacs-server host 192.168.1.25 single-connection key ciscoacs

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Amjad Abdullah · ‎08-29-2013

The authorizaiton part I think needs to be modified.

(aaa authorization exec default local) ---> this need to be replaced with

aaa authorization exec MY_OWN groupe tacacs+.

You need to verify form ACS side also in the failed attempts and passed authentication where the user appears and if failing what is the reason of the fail.

Let us know your tacacs+ config on the ACS. You need to allow the shell profile to level 15.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

harvisin · ‎08-29-2013

HEllo Syed,

As suggested by JAtin you need to debug tacacs and aaa authentication and moreover you can try to authenticate with the test command which is :-

router# test aaa group tacacs+ uid pwd

and you can also go throug the following link whoich might be helpful to you:-

https://supportforums.cisco.com/thread/2027835

Jatin Katyal · ‎08-29-2013

This is what I see in the debugs

no tacacs servers defined in group "tacacs+"

Could you please attach the "show run" from the router.

Also, make sure we have tacacs TCP port 49 is open in between ACS and ROUTER.

You may check the same by running the below listed command from the router

telnet 192.168.1.25 49

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

syed musaib mujtaba · ‎08-29-2013

below is the tacacs config.

R1#

R1#sh run | in tacacs

aaa authentication login default group tacacs+ local

aaa authentication login MY_OWN group tacacs+ local

aaa authorization exec MY_OWN group tacacs+

ip tacacs source-interface FastEthernet0/0

tacacs-server host 192.168.1.25 key ciscoacs

R1#

syed musaib mujtaba · ‎08-29-2013

Dear Jatin,

Actually i had modified my configuration while removing the single connection, thats y the debug was showing no tacacs server.

find below the debug results after configuring the tacacs server.

*Mar 1 00:15:19.091: AAA/BIND(00000004): Bind i/f

*Mar 1 00:15:19.103: AAA/AUTHEN/LOGIN (00000004): Pick method list 'MY_OWN'

*Mar 1 00:15:19.119: TPLUS: Queuing AAA Authentication request 4 for processing

*Mar 1 00:15:19.123: TPLUS: processing authentication start request id 4

*Mar 1 00:15:19.127: TPLUS: Authentication start packet created for 4()

*Mar 1 00:15:19.131: TPLUS: Using server 192.168.1.25

*Mar 1 00:15:19.143: TPLUS(00000004)/0/NB_WAIT/66DF2270: Started 5 sec timeout

*Mar 1 00:15:19.239: TPLUS(00000004)/0/NB_WAIT: socket event 2

*Mar 1 00:15:19.243: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request

*Mar 1 00:15:19.247: TPLUS(00000004)/0/READ: socket event 1

*Mar 1 00:15:19.251: TPLUS(00000004)/0/READ: Would block while reading

*Mar 1 00:15:19.343: TPLUS(00000004)/0/READ: socket event 1

*Mar 1 00:15:19.343: TPLUS(00000004)/0/READ: read entire 12 header bytes (expect 6 bytes data)

*Mar 1 00:15:19.347: TPLUS(00000004)/0/READ: socket event 1

*Mar 1 00:15:19.351: TPLUS(00000004)/0/READ: read entire 18 bytes response

*Mar 1 00:15:19.351: TPLUS(00000004)/0/66DF2270: Processing the reply packet

*Mar 1 00:15:19.355: TPLUS: received bad AUTHEN packet: length = 6, expected 38363

*Mar 1 00:15:19.359: TPLUS: Invalid AUTHEN packet (check keys).

*Mar 1 00:15:19.359: TPLUS(00000004)/0/REQ_WAIT/66DF2270: timed out

*Mar 1 00:15:19.363: TPLUS: Authentication start packet created for 4()

*Mar 1 00:15:19.367: TPLUS(00000004)/0/REQ_WAIT/66DF2270: timed out, clean up

*Mar 1 00:15:19.371: TPLUS(00000004)/0/66DF2270: Processing the reply packet

R1#

syed musaib mujtaba · ‎08-29-2013

Hi all,

Thank you for your responses.

As advised i have removed the single-connection and configured aaa authorization exec MY_OWN groupe tacacs+.

On ACS i have configured tacacs as the protocol and given the user shell with level 15 privilages.

How can i verify form ACS side the failed attempts and passed authentication .

Below are the requested outputs.

R1#
R1#debu
R1#debug tacac
R1#debug tacacs
TACACS access control debugging is on
R1#debu
R1#debug aaa authen
R1#debug aaa authentication
AAA Authentication debugging is on
R1#
R1#
*Mar 1 00:08:30.855: AAA/BIND(00000005): Bind i/f
*Mar 1 00:08:30.867: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MY_OWN'
*Mar 1 00:08:30.883: TPLUS: Queuing AAA Authentication request 5 for processing
*Mar 1 00:08:30.891: TPLUS: processing authentication start request id 5
*Mar 1 00:08:30.895: TPLUS: Authentication start packet created for 5()
R1#
*Mar 1 00:08:43.391: AAA/AUTHEN/LOGIN (00000005): Pick method list 'MY_OWN'
*Mar 1 00:08:43.395: TPLUS: Queuing AAA Authentication request 5 for processing
*Mar 1 00:08:43.403: TPLUS: processing authentication start request id 5
*Mar 1 00:08:43.407: TPLUS: Authentication start packet created for 5()
R1#
*Mar 1 00:09:01.675: AAA/BIND(00000006): Bind i/f
*Mar 1 00:09:01.687: AAA/AUTHEN/LOGIN (00000006): Pick method list 'MY_OWN'
*Mar 1 00:09:01.703: TPLUS: Queuing AAA Authentication request 6 for processing
*Mar 1 00:09:01.715: TPLUS: processing authentication start request id 6
*Mar 1 00:09:01.719: TPLUS: Authentication start packet created for 6()
R1#
*Mar 1 00:09:14.403: AAA/AUTHEN/LOGIN (00000006): Pick method list 'MY_OWN'
*Mar 1 00:09:14.411: TPLUS: Queuing AAA Authentication request 6 for processing
*Mar 1 00:09:14.419: TPLUS: processing authentication start request id 6
*Mar 1 00:09:14.419: TPLUS: Authentication start packet created for 6()
R1#

Nothing happens after this, authentication fails.

R1#test aaa group tacacs+ uid pwd legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

R1#
*Mar 1 00:13:10.431: AAA: parse name= idb type=-1 tty=-1
*Mar 1 00:13:10.435: AAA/MEMORY: create_user (0x66B2E600) user='uid' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Mar 1 00:13:10.439: TAC+: send AUTHEN/START packet ver=192 id=1729942639
*Mar 1 00:13:10.443: TAC+: no tacacs servers defined in group "tacacs+"
*Mar 1 00:13:10.447: AAA/MEMORY: free_user (0x66B2E600) user='uid' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
R1#
R1#

Amjad Abdullah · ‎08-29-2013

reports and activity --> passed authentication

reports and activity --> failed attempts

Rating useful replies is more useful than saying "Thank you"

syed musaib mujtaba · ‎08-29-2013

Dear Amjad,

Thank you for guding me how to check the logs in ACS server.

When i checked the failed attempts it shows key mismatch. but i am sure that i have configured same keys on router and server.

i don know why i am getting this "key mismatch"

syed musaib mujtaba · ‎08-29-2013

Dear Amjad,

Kindly help out in deleting a AAA server from ACS.

i dont find any option to delete the AAA server ( i believe this might solve my problem)

syed musaib mujtaba · ‎08-29-2013

Just to be sure, i have reconfigured the keys both on ACS and on router but still the same error on debug.

how to proceed from here.

Jatin Katyal · ‎08-29-2013

Make sure you have same key on AAA client and Network device group, the router is a part of.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin