Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Issue with ACS 4.2 in Authentication

Hey guys.

I ve got a problem with the ACS 4.2 just in authentication

I have a 3750 Catalyst and installed an ACS 4.2 both in 1 zone. They can ping each other and there is no problem in their connectivity. I ve created a user called “test” in ACS local database, defined the switch in ACS database and configured 3750 with below commands:

aaa new-model

aaa authentication attempts login 10

aaa authentication login default group tacacs+ local enable

aaa authentication enable default group tacacs+ enable

tacacs-server host 192.168.149.30

tacacs-server directed-request

tacacs-server key 7 046803071F

When I try to login via the “test” user the below problem is appeared in my screen while debugging the authentication process in switch:

Apr  1 05:29:11: AAA/BIND(00000049): Bind i/f

Apr  1 05:29:11: AAA/AUTHEN/LOGIN (00000049): Pick method list 'default'

Apr  1 05:29:11: TPLUS: Queuing AAA Authentication request 73 for processing

Apr  1 05:29:11: TPLUS: processing authentication start request id 73

Apr  1 05:29:11: TPLUS: Authentication start packet created for 73(test)

Apr  1 05:29:11: TPLUS: Using server 192.168.149.30

Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT/82F6C3C: Started 5 sec timeout

Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT: socket event 2

Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT: wrote entire 39 bytes request

Apr  1 05:29:12: TPLUS(00000049)/0/READ: socket event 1

SW48-3#

Apr  1 05:29:12: TPLUS(00000049)/0/READ: Would block while reading

Apr  1 05:29:12: TPLUS(00000049)/0/READ: socket event 1

Apr  1 05:29:12: TPLUS(00000049)/0/READ: errno 32

Apr  1 05:29:12: TPLUS(00000049)/0/82F6C3C: Processing the reply packet

Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): user test not found

Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): get password

Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): failover

Apr  1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN

Apr  1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Done status GET_PASSWORD

SW48-3#

Apr  1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN

Apr  1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Done status FAIL - bad password

Just to confirm that the password is definitely correct and there is not any authorization process.

I will be very thankful if someone can help me to troubleshoot this matter.  (or any doc that shows how to authenticate a user via ACS 4.2)

Moe

3 REPLIES
Silver

Issue with ACS 4.2 in Authentication

Hi Moe,

What are all the debugs that you have used here?

Based on the debugs:

the request to falling back to local, user is not there in the internal DB and then its falling back to the enable password to which it fails.

What is the attempt or report on the ACS?

Can you share screenshots of the ACS configuration?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Community Member

Issue with ACS 4.2 in Authentication

Tnx for your reply Ed.

As it was already mentioned the user was created on local ACS database and the switch was added too.

I have attached a screenshot of configured ACS and its report section.

the debug commands that was used to capture above information on switch are:

debug aaa authentication

debug tacacs authentication

honelsty, I have never been that much confused about ACS.

Cheers

Moe

Silver

Issue with ACS 4.2 in Authentication

Hi Mohammad,

I think I see the problem right away.

The ACS is dropping the packet due to IP mismatch.

Check the IP addresses.

The IP that you have defined is 147.23

The IP that the device is using is 149.24

It seems that you have multiple interfaces on the device and its using its own routing table.

If you want to force the device to use a specific IP for T+, then use "ip tacacs source-interface "

or if you want to change this on the server end, then define, 149.24 as a network device.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
557
Views
3
Helpful
3
Replies
CreatePlease to create content