Solved: Re: User Authentication with 2800 router

estelamathew · ‎05-11-2010

hello Experts,

Press RETURN to get started.

*May 11 15:04:18.063: AAA/BIND(00000010): Bind i/f
*May 11 15:04:18.063: AAA/AUTHEN/LOGIN (00000010): Pick method list '123'

User Access Verification

Username: john
Password:

ACS-Router>en
Password:
*May 11 15:04:41.935: AAA: parse name=tty0 idb type=-1 tty=-1
*May 11 15:04:41.935: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
*May 11 15:04:41.935: AAA/MEMORY: create_user (0x469AA7F4) user='john' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*May 11 15:04:41.935: AAA/AUTHEN/START (4129385217): port='tty0' list='' action=LOGIN service=ENABLE
*May 11 15:04:41.935: AAA/AUTHEN/START (4129385217): console enable - default to enable password (if any)
*May 11 15:04:41.935: AAA/AUTHEN/START (4129385217): Method=ENABLE
*May 11 15:04:41.935: AAA/AUTHEN(4129385217): Status=GETPASS
ACS-Router#
*May 11 15:04:49.099: AAA/AUTHEN/CONT (4129385217): continue_login (user='(undef)')
*May 11 15:04:49.099: AAA/AUTHEN(4129385217): Status=GETPASS
*May 11 15:04:49.099: AAA/AUTHEN/CONT (4129385217): Method=ENABLE
*May 11 15:04:49.107: AAA/AUTHEN(4129385217): Status=PASS
*May 11 15:04:49.107: AAA/MEMORY: free_user (0x469AA7F4) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

The output is from the console 2800 router, i m trying to authenticate a user john from the ACS server but i m not sure it is authenticating or not by the output above, when i specify a different password in the ACS and the router it does'nt accept ACS password rather it takes local password configured for john.

sh run for router 2800:

ACS-Router#sh running-config
Building configuration...

Current configuration : 1141 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACS-Router
!
boot-start-marker
boot system flash c2800nm-ipvoicek9-mz.151-1.T.bin
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$6MYC$v0SoHopUNgCSXx08iEfcU0
!
aaa new-model
!
!
aaa authentication login 123 group tacacs+ local
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
username john password 0 cisco12345
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
tacacs-server host 192.168.10.3 port 49 timeout 2 key cisco12345
!
control-plane
!
!
line con 0
login authentication 123
line aux 0
line vty 0 4
login authentication 123

BUT

when the same configuration i did with the 2960 switch it is working fine for the user,It is accepting different password for the ACS and the local when i disconnect the ACS from the LAN.

Can anybody tellwhat i m missing here.????

Thanks

Javier Henderson · ‎05-11-2010

The followiing:

*May 11 15:44:33.678: TPLUS(00000013)/0/READ: errno 254

Suggests a mismatched secret between the 2800 and the TACACS+ server.

View solution in original post

Javier Henderson · ‎05-11-2010

Enable:

debug tacacs

Then try again, and post the debug output.

estelamathew · ‎05-11-2010

here is the output

when i put tacacs password it does'nt accepts but when i put local password it accepts.

Press RETURN to get started.

*May 11 15:44:07.066: TPLUS: Queuing AAA Authentication request 19 for processing
*May 11 15:44:07.066: TPLUS: processing authentication start request id 19
*May 11 15:44:07.066: TPLUS: Authentication start packet created for 19()
*May 11 15:44:07.066: TPLUS: Using server 192.168.10.3
*May 11 15:44:07.070: TPLUS(00000013)/0/NB_WAIT/464ED0F8: Started 2 sec timeout
*May 11 15:44:07.070: TPLUS(00000013)/0/NB_WAIT: socket event 2
*May 11 15:44:07.070: TPLUS(00000013)/0/NB_WAIT: wrote entire 29 bytes request
*May 11 15:44:07.070: TPLUS(00000013)/0/READ: socket event 1
*May 11 15:44:07.070: TPLUS(00000013)/0/READ: Would block while reading
*May 11 15:44:07.090: TPLUS(00000013)/0/READ: socket event 1
*May 11 15:44:07.090: TPLUS(00000013)/0/READ: read 0 bytes

User Access Verification

Username:
*May 11 15:44:09.070: TPLUS(00000013)/0/READ/464ED0F8: timed out
*May 11 15:44:09.070: TPLUS: Authentication start packet created for 19()
*May 11 15:44:09.070: TPLUS(00000013)/0/READ/464ED0F8: timed out, clean up
*May 11 15:44:09.070: TPLUS(00000013)/0/464ED0F8: Processing the reply packet john
Password:

% Authentication failed

Username:
*May 11 15:44:33.670: TPLUS: Queuing AAA Authentication request 19 for processing
*May 11 15:44:33.670: TPLUS: processing authentication start request id 19
*May 11 15:44:33.670: TPLUS: Authentication start packet created for 19()
*May 11 15:44:33.670: TPLUS: Using server 192.168.10.3
*May 11 15:44:33.670: TPLUS(00000013)/0/NB_WAIT/460B0F24: Started 2 sec timeout
*May 11 15:44:33.674: TPLUS(00000013)/0/NB_WAIT: socket event 2
*May 11 15:44:33.674: TPLUS(00000013)/0/NB_WAIT: wrote entire 29 bytes request
*May 11 15:44:33.674: TPLUS(00000013)/0/READ: socket event 1
*May 11 15:44:33.674: TPLUS(00000013)/0/READ: Would block while reading
*May 11 15:44:33.678: TPLUS(00000013)/0/READ: socket event 1
*May 11 15:44:33.678: TPLUS(00000013)/0/READ: errno 254
*May 11 15:44:33.678: TPLUS(00000013)/0/460B0F24: Processing the reply packet john
Password:

ACS-Router>en
Password:
ACS-Router#

Javier Henderson · ‎05-11-2010

The followiing:

*May 11 15:44:33.678: TPLUS(00000013)/0/READ: errno 254

Suggests a mismatched secret between the 2800 and the TACACS+ server.

estelamathew · ‎05-11-2010

Hello dear,

yes i went once more to chk b4 ur mail ,i found it,

it was a silly mistake,

Thanks for ur reply.