Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

does tacacs+ support auth-proxy on acs 5.0 and later?

The nas is 2801 with ios 15.1,and acs is  5.3.i want to deploy auth-proxy using tacacs+ protocol.but it did not work.using radius is ok.

i want to know does tacacs+ support auth-proxy on acs 5.0 and later?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

TACACS+ Auth-Proxy is only

TACACS+ Auth-Proxy is only supported after ACS 5.3 patch 5. Upgrade your ACS 5.x, or use RADIUS for Auth-Proxy.

4 REPLIES

TACACS+ Auth-Proxy is only

TACACS+ Auth-Proxy is only supported after ACS 5.3 patch 5. Upgrade your ACS 5.x, or use RADIUS for Auth-Proxy.

New Member

Thanks a million. I really

Thanks a million. I really appreciate it。

New Member

Could you tell me what you

Could you tell me what you configured on the radius authorisation profile And access policy to achieve auth-proxy ip

Cisco Employee

hn_zxgcisco,I would like to


hn_zxgcisco,

I would like to add that ACS 5.3 and later doesn't support tacacs + authorization and I've recently filed a defect on the same to be supported. The defect will be fixed in ACS 5.6.0.5 so don't upgrade now. Either use IOS 15.0 or radius.


Here is a defect for your reference:

CSCun82456    ACS 5.x does not support TAC+ authorization Service 0x1a (Auth-Proxy ip) 

 

<B>Symptom:</B>
ACS 5.x does not support TACACS+ authorization Service 0x1a (Auth-Proxy ip)

<B>Conditions:</B>
ACS 5.x rejects the authorization packet stating "13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets".

Authorizing Auth-Proxy on IOS 15.1 or above using TACACS+ to ACS 5.x

<B>Workaround:</B>
Configure Auth-Proxy to use the Radius protocol.

<B>Further Problem Description:</B>

 

NOTE: The only thing that is supported by ACS 5.3 patch 5 is authentication and alone authentication would not solve the purpose.

 

Reason why authorization is not supported with ISO 15.1 and later.
IOS changed the Authorization service used for Auth-Proxy in IOS 15.x from 0x1 (auth-proxy) to 0x1a (auth-Proxy ip). IOS 15.0 sets the service as 0x01 and 15.1(4)M7 sets the Service as 0x1a. Per captures ACS does not know what service 26 is  and drops the request with a below listed error message: "13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets". 
Auth-Proxy using TACACS+ now fails the authorization packet against ACS 5.x because 0x1a is not a supported service. Before this fis is resolved , 0x1a Auth-Proxy service is supported only in the authentication flow in ACS 5.x and this was addressed in CSCtx12249.


Regards,

Jatin Katyal

** Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
91
Views
0
Helpful
4
Replies