Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN client and Cisco ACS

hi,

I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.

I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.

Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.

Any ideas?

7 REPLIES
Silver

Re: VPN client and Cisco ACS

Hi

Sounds like something more fundamental is wrong. Try setting ACS diagnostic loggig to max (under system config/service control) then do a test authentication.

Look in the CSTacacs/Logs/tcs.log file

Maybe some clues there as to what is failing.

Also, if you "net stop cstacacs" and then run "cstacacs -z -e" at the command prompt, you'll see a packet by packet dump get echoed to the console. This will confirm T+ packets are arriving ok.

Darran

Darran

Community Member

Re: VPN client and Cisco ACS

It's actually an ACS Solution Engine I'm using so i'm not even sure how to get a command prompt on it...

However I am already using it to authenticate telnet access onto the same router, and this works fine with the same username, so I'm fairly satisfied that Tacacs packets are making it there and back (router debug also confirms this)

Community Member

Re: VPN client and Cisco ACS

here is some debug from the router:

-------------------------------

Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129

Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)

Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10

Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout

Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2

Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1

Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)

Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii

Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0

Feb 24 12:28:58.989 UTC: T+: user: vpntest

Feb 24 12:28:58.989 UTC: T+: port:

Feb 24 12:28:58.989 UTC: T+: rem_addr:

Feb 24 12:28:58.989 UTC: T+: data:

Feb 24 12:28:58.989 UTC: T+: End Packet

Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request

Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1

Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading

Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1

Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1

Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response

Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1

Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)

Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0

Feb 24 12:28:59.009 UTC: T+: msg: Password:

Feb 24 12:28:59.009 UTC: T+: data:

Feb 24 12:28:59.009 UTC: T+: End Packet

s9990-cr#

Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet

Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)

-------------------------------

"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC

In the VPN Client log it say "User does not provide any authentication data"

So to summarise:

-Same ACS server\router\username combination works fine for telnet access.

-VPN works fine with local authentication.

-No login failures showing in the ACS logs.

Hall of Fame Super Gold

Re: VPN client and Cisco ACS

Liam

Is your 800 configuring the VPN for XAUTH? Perhaps you could post the VPN part of its config?

HTH

Rick

Community Member

Re: VPN client and Cisco ACS

here you go - i've currently got it set to check local login first then fall back to Tacacs, but previously had it set to just "group tacacs+" without success - local login works fine for the vpn, and tacacs auth works for accessing the router itself.

------------------------------------

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login userauthen local group tacacs+

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network groupauthor local

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa session-id common

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key cisco123

dns 10.2.2.2

pool ippool

save-password

include-local-lan

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Dialer1

crypto map clientmap

!

ip local pool ippool 10.1.1.1 10.1.1.10

!

tacacs-server host 10.10.10.10

tacacs-server directed-request

tacacs-server key 7 123456789

---------------------------------------

thanks

Liam.

Community Member

Re: VPN client and Cisco ACS

just going to bump this thread with a bit of additional information

i switched to using RADIUS with *exactly* the same setup (same router, same ACS server, same username) and it worked first time. All I did was add the router into ACS as a Radius (IOS\PIX) device, so it's now got 2 device entries.

however I still would prefer to get Tacacs working as all the devices I want to use this with are already configured as tacacs clients for telnet access.

summary:

#aaa authentication login userauthen local group radius - WORKS

#aaa authentication login userauthen local group tacacs+ - DOESN'T WORK

all other config remains the same and I can successfully telnet onto the device using Tacacs.

Community Member

Re: VPN client and Cisco ACS

update - this is fixed by upgrading IOS on the router from 12.3 to 12.4

the particular image I was running has been deferred but no mention of this particular bug in the deferral notice and I found the same problem in other versions of 12.3

anyway - Tacacs authentication working fine in 12.4

501
Views
0
Helpful
7
Replies
CreatePlease to create content