07-02-2013 07:08 AM - edited 03-10-2019 08:36 PM
Hi All,
I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
Am I missing something?
!
aaa new-model
!
!
aaa group server tacacs+ ACS1
server name AUTH
!
aaa authentication login ACS-List group ACS1 local
aaa authorization exec ACS-List group ACS1 local
aaa accounting commands 15 ACS-List
action-type start-stop
group ACS1
!
aaa session-id common
!
acacs-server directed-request
tacacs server AUTH
address ipv4 172.x.x.x
key 7 xxxxxxxx
and on my VTY Lines...
privilege level 15
password 7 151619050826222A2F
authorization exec ACS-List
accounting commands 15 ACS-List
accounting exec ACS-List
login authentication ACS-List
length 0
transport input telnet ssh
07-02-2013 07:22 AM
The config seems to be fine. What is the full code on which you are experincing this issue with tacacs?
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 07:31 AM
It's
Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
ACS 4.2
07-02-2013 07:47 AM
As you're getting prompt for local credentials, that indicates tacacs is not reachable from the device in question. Are you able to ping tacacs server? Could you please run the debugs and share:
debug aaa authen
debug tacacs
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 08:03 AM
I ran those debugs, then tried to login on another telnet session -
Jul 2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
Jul 2 15:01:57.278: TPLUS: processing accounting request id 1781
Jul 2 15:01:57.278: TPLUS: Sending AV task_id=1997
Jul 2 15:01:57.278: TPLUS: Sending AV timezone=SIN
Jul 2 15:01:57.278: TPLUS: Sending AV service=shell
Jul 2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
Jul 2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
Jul 2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
Jul 2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
Jul 2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
Jul 2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
Jul 2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
Jul 2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
Jul 2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:11.658: TPLUS: processing authentication start request id 1785
Jul 2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:11.662: TPLUS: Using server 172.x.x.x
Jul 2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
Jul 2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:24.474: TPLUS: processing authentication start request id 1785
Jul 2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:24.474: TPLUS: Using server 172.x.x.x
Jul 2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
07-02-2013 08:04 AM
I'm being prompted for username / password but when I try my AD account it fails. If I try the local credentials, it works.
07-04-2013 04:16 AM
Hi,
Got this working - the Issue was that the routers in question were vpn endpoints using GRE/IPSEC. When contacting TACAS server it sources from the tunnel subnet and not the actual physical Interface subnet. I added the subnet to TACACS group and now works fine.
07-04-2013 04:19 AM
Thanks for keep this thread updated.
~BR
Jatin Katyal
**Do rate helpful posts**
12-17-2013 07:39 AM
Hello, it seems you used the "
ip tacacs source-interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: