Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem setting 7606 router for TACACS+ authentication

Hello Support Community,

I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.

I use the two servers to authenticate many other Cisco devices in the network they are working fine.

I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.

The server key is hidden but at the time of configuration, I can ascertain that it's correct.

The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?

Please study the outputs below and help point out what I may need to change.

PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html

Please help I'm stuck.

ROUTER#sh running-config | sec aaa

aaa new-model

aaa group server tacacs+ admin

server name admin

server name admin1

ip vrf forwarding OAM

ip tacacs source-interface GigabitEthernet1

aaa authentication login admin group tacacs+ local enable

aaa session-id common

ROUTER#sh running-config | sec tacacs

aaa group server tacacs+ admin

server name admin

server name admin1

ip vrf forwarding OAM

ip tacacs source-interface GigabitEthernet1

aaa authentication login admin group tacacs+ local enable

tacacs server admin

address ipv4 1.1.1.1

key 7 XXXXXXXXXXXXXXXXXXXX

tacacs server admin1

address ipv4 2.2.2.2

key 7 XXXXXXXXXXXXXXXXxxxx

line vty 0 4

login authentication admin

ROUTER#sh tacacs

Tacacs+ Server -  public  :

               Server name: admin

            Server address: 1.1.1.1

               Server port: 49

              Socket opens:         15

             Socket closes:         15

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          0

        Total Packets Recv:          0

Tacacs+ Server -  public  :

               Server name: admin1

            Server address: 2.2.2.2

               Server port: 49

              Socket opens:         15

             Socket closes:         15

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          0

        Total Packets Recv:          0

Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 

Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'

Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN

Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD

Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN

Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password

Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'

Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN

Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD

Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN

Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password

Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'

Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN

Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD

Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN

Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password

ROUTER#sh ver

Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Fri 30-Mar-12 08:34 by prod_rel_team

ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)

BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)

ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes

Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes

System returned to ROM by reload (SP by reload)

System restarted at 20:00:59 UTC Wed Aug 28 2013

System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"

Last reload type: Normal Reload

Last reload reason: power-on

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.

Processor board ID FOX1623G61B

BASEBOARD: RSP720

CPU: MPC8548_E, Version: 2.1, (0x80390021)

CORE: E500, Version: 2.2, (0x80210022)

CPU:1200MHz, CCB:400MHz, DDR:200MHz,

L1:    D-cache 32 kB enabled

        I-cache 32 kB enabled

Last reset from power-on

3 Virtual Ethernet interfaces

76 Gigabit Ethernet interfaces

8 Ten Gigabit Ethernet interfaces

3964K bytes of non-volatile configuration memory.

500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).

Configuration register is 0x2102

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Problem setting 7606 router for TACACS+ authentication

In order to resolve this issue. Please replace the below listed command

aaa authentication login admin group tacacs+ local enable

with;

aaa authentication login default group admin local enable

You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+

Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

Problem setting 7606 router for TACACS+ authentication

In order to resolve this issue. Please replace the below listed command

aaa authentication login admin group tacacs+ local enable

with;

aaa authentication login default group admin local enable

You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+

Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Problem setting 7606 router for TACACS+ authentication

Hi Sam,

Let me know how it goes.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Problem setting 7606 router for TACACS+ authentication

Sorry for the delay in response. I have made the change as you recommended and it has worked! Thank you very much.

There are many variations of how to implement this on different types of devices but this has done it for the 7606.

521
Views
0
Helpful
3
Replies
CreatePlease login to create content