Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
2
Replies

Configure AAA TACACS+ with ACS

slandeira
Level 1
Level 1

‎10-17-2008 09:21 AM - edited ‎03-10-2019 04:08 PM

I want to authenticate telnet connections with TACACS +.

This is my router configuration settings:

aaa new-model

aaa authentication login telnetssh group tacacs+ enable local

!

aaa session-id common

tacacs-server host 10.10.10.5

tacacs-server host 10.10.10.6

tacacs-server directed-request

tacacs-server key superclave

line vty 0 4

password CISCO

logging synchronous

login authentication telnetssh

transport input ssh

!

no cns aaa enable

The configuration in the ACS 4.1 is very simple, just set the following

===================

USER SETUP:

User: PRUEBA

User Setup:

Password Autehntication -> ACS Internal Database

PAP password/password

Group to which the user is assigned -> Grupo 1

Callback -> User group setting

Client IP Address Assignement -> Use group setting

Account Disable -> Never

Advanced TACACS+ Settings

TACACS+ Enable Control: -> Use Group Level Setting

TACACS+ Enable Password -> Use CiscoSecure PAP password

======================

GROUP SETUP:

Group Setup: Grupo 1

All default, except:

TACACS+Settings

Choice: Shell (exec)

Shell Command Authorization Set -> None

======================

In Network Configuration create a new client AAA

AAA client IP Address -> "ip_router"

Shared Secret superclave

Authenticate Using => TACACS + (Cisco IOS)

================

It doesn't work. What may be happening? Missing settings in the ACS?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎10-17-2008 09:44 AM

Susana

My first guess at the problem is that the address used in ACS for the client does not match the source address used by the device when it sends the authentication request. If that is the case then you can use the command ip tacacs source-interface

to specify the address on the device that matches the configuration of ACS.

The best way to check on this is to look in ACS at the failed attempts report. If you check the failed attempts report do you see the attempts from this device? If so the report will indicate what the error is.

HTH

Rick

HTH

Rick
0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Richard Burts

‎10-20-2008 05:01 AM

Yes, as suggested by Rick please issue ip tacacs source interface command. This command is required for layer 3 device.

Even if you don't see any hits in acs failed attempts then also issue this command. Sometimes acs do not logs any message in failed attempts.

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents