Re: CSS sees TACACS server status Dead

axa-wongjeff · ‎04-09-2009

Configured CSS for TACACS authentication.

- CSS able to ping ACS server.

- ACS server able to ping CSS.

Product Name: CSS11503-AC E0 SW Version: 7.20 Build 104

CSS11503# show tac

IP/Port State Primary Authen. Author. Account

------- ----- ------- ------- ------- ------

10.67.153.54:49 Dead Yes 0 0 0

10.67.153.55:49 Dead No 0 0 0

Totals: 0 0 0

Global Timeout: 5

Global KAL Frequency: 5

Global Key: Configured

Authorize Config Commands: Yes

Authorize Non-Config Commands: Yes

Account Config Commands: Yes

Account Non-Config Commands: Yes

Removed keepalive frequency to 0, changed it to use 1 of the servers, and also redid ACS configuration. Still no improvement.

Thanks for any help.

sachinga.hcl · ‎04-11-2009

Hi Jeffrey Wong ,

Generally, when TACACS+ authentication does not work with a CSS, the problem is usually either a configuration issue on either the CSS or the TACACS+ server. The first thing that you need to check is whether you have configured the CSS as a client of a TACACS+ server.

When you have checked this, there is additional logging that you can use on the CSS in order to determine the problem. Complete these steps to turn on logging.

On the CSS, enter debug mode.

CSS# llama

CSS(debug)# mask tac 0x3

CSS(debug)# exit

CSS# configure

CSS(config)# logging subsystem security level debug-7

CSS(config)# logging subsystem netman level info-6

CSS(config)# exit

CSS# logon

!--- This logs messages to the screen.

In order to disable logging, issue these commands:

CSS# llama

CSS(debug)# mask tac 0x0

CSS(debug)# exit

CSS# no logon

These messages can appear:

SEP 10 08:30:10 5/1 99 SECURITY-7: SECMGR:SecurityAuth:Request from 0x20204b0c

SEP 10 08:30:10 5/1 100 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary

SEP 10 08:30:10 5/1 101 SECURITY-7: Security Manager sending error 7 reply to

ller 20201c00

These messages indicate that the CSS tries to communicate with the TACACS+ server, but the TACACS+ server rejects the CSS. error 7 means that the TACACS+ key entered in the CSS does not match the key on the TACACS+ server.

A successful login through a TACACS+ server shows this message (note the sending success 0 reply):

SEP 10 08:31:46 5/1 107 SECURITY-7: SECMGR:SecurityAuth:Request from 0x20204b0d

SEP 10 08:31:46 5/1 108 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary

SEP 10 08:31:47 5/1 109 SECURITY-7: Security Manager sending success 0 reply to

caller 20201c00

SEP 10 08:31:47 5/1 110 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x2020

4b0d

Common Mistakes

The most common mistake when you set up a CSS to work with a TACACS+ server is actually very simple. This command tells the CSS what key to use to communicate with the TACACS+ server:

CSS(config)# tacacs-server key system enterkeyhere

This key can be either clear text or DES encrypted. The clear text key is DES encrypted before the key is placed in the running configuration. To make a key clear text, put it in quotes. To make it DES encrypted, do not use quotes. The important thing is to know if the TACACS+ key is DES encrypted or if the key is clear text. After you issue the command, match the key of the CSS to the key that the TACACS+ server uses.

Regards,

Sachin

axa-wongjeff · ‎04-15-2009

I enabled the debug logging as indicated in the response.

========================================

Received the following when attempting to use TACACS username and password:

APR 16 00:59:55 1/1 1810 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b13

APR 16 00:59:55 1/1 1811 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary

APR 16 00:59:55 1/1 1812 SECURITY-7: Security Manager sending error 7 reply to caller 1c01

APR 16 00:59:55 1/1 1813 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary

APR 16 00:59:55 1/1 1814 SECURITY-7: Security Manager sending error 7 reply to caller 1c01

APR 16 00:59:55 1/1 1815 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary

APR 16 00:59:55 1/1 1816 SECURITY-7: Security Manager sending success 0 reply to caller 1c01

APR 16 00:59:55 1/1 1817 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b13

========================================

My log messages are similar as your example. Therefore, I changed my tacacs key to a simple word (ex: duh). I used both quoted ("duh") and then unquoted (duh).

Both times, TACACS authentication did not work.

Anything else to check?

sachinga.hcl · ‎04-11-2009

HI Dear,

Lists the external user databases that CiscoSecure ACS uses to authenticate an unknown user (if the Check the following external user databases option is selected). CiscoSecure ACS attempts authentication using the selected databases one at a time in the order specified.

Users whose accounts were created in the CiscoSecure ACS database when CiscoSecure ACS successfully authenticated them using the Unknown User Policy. When CiscoSecure ACS creates a discovered user, the user account contains only the username, a Password Authentication list setting that reflects the external user database that authenticated the user, and a "Group to which the user is assigned" list setting of Mapped By External Authenticator, which enables group mapping. Using the CiscoSecure ACS HTML interface, you can further configure the user account as needed. For example, after a discovered user is created in CiscoSecure ACS, you can assign user-specific network access restrictions to the discovered user.

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204cf8.html

sachinga.hcl · ‎04-16-2009

HI Dear,

In version 5.03 and later, you can configure the CSS to use TACACS+ for user authentication. In order to configure the CSS for TACACS+ authentication, refer to the Release Notes for the CSS 11000 Series.

http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_notes_list.html

In order to view the debugs that are associated with TACACS+ logins, issue these commands:

logging subsystem security level debug-7

logging subsystem netman level debug-7

This is an example of a failed authentication because of an incorrect user name or password:

JUL 23 01:54:41 7/1 109 SECURITY-7: SECMGR:SecurityAuth:Request from 0x30204b0a

JUL 23 01:54:41 7/1 110 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary

JUL 23 01:54:41 7/1 111 NETMAN-7: TACACS:tac_Authen:Final

JUL 23 01:54:41 7/1 112 NETMAN-7: TACACS:TACACS_AuthAgent:Rqst

Rsp

JUL 23 01:54:41 7/1 113 SECURITY-7: Security Manager sending success 0 reply to

caller 30201c00

JUL 23 01:54:41 7/1 114 SECURITY-7: SECMGR:SecurityMgrProc:Try Secondary

JUL 23 01:54:41 7/1 115 SECURITY-7: Security Manager sending error 7 reply to

caller 30201c00

JUL 23 01:54:41 7/1 116 SECURITY-7: SECMGR:SecurityMgrProc:Try Tertiary

JUL 23 01:54:41 7/1 117 SECURITY-7: Security Manager sending error 7 reply to

caller 30201c00

JUL 23 01:54:41 7/1 118 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x30204b0a

continued page 2......

sachinga.hcl · ‎04-16-2009

page 2.....

These are resolved caveats regarding TACACS+

Resolved Caveats in Software Version 6.10.4.05

The following resolved caveats apply to software version 6.10.4.05:

CSCee24309 - The CSS was not properly authorizing all commands through the TACACS+ server.

CSCee80408 - Using the tacacs-server authorize config or the no tacacs-server authorize config commands cause a memory leak.

Software Behavioral Changes in 6.10.2.03

The show tacacs-server display has the following new Per-Server Configuration fields:

-Key - Shared secret used by the TACACS+ server

-Server Timeout - The amount of time the CSS waits for a response from the server.

-Server Frequency - The keepalive frequency for the specified TACACS+ server.

The show tacacs-server screen display also has a new Global Configuration field: Global KAL Frequency. This field defines the global keepalive frequency in seconds.

â€¢All global tacacs-server parameters (frequency, key, and timeout) take effect immediately when configured. You no longer need to remove and re-add servers for these parameters to take effect. Also, you may configure these parameters in any order.

Resolved Caveats in Software Version 6.10.2.03

CSCec83790 - If the TACACS server is in a DYING state, new authentication requests fail.

acacs-server send-full-command

no tacacs-server send-full-command

The send-full-command option expands user-executed abbreviated commands to their full command syntax before the CSS sends them to the TACACS+ server.

Use the no form of the command to reset the default CSS behavior of sending user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.

CSCeb20895 - TACACS+ accounting records sent by the CSS have an incorrect Attribute Value (AV) pair. The record contains task= instead of task_id=.

Global

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}

The frequency number option for the tacacs-server command allows you to set the keepalive frequency for the specified TACACS+ server. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. Defining this option overrides the global tacacs-server frequency command.

To apply any TACACS+ global attribute, such as the keepalive frequency, to a TACACS+ server, you must configure the global attribute before you configure the server.

tacacs-server frequency number

no tacacs-server frequency number

The frequency number option for the tacacs-server command allows you to set the global keepalive frequency for all TACACS+ servers. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. The no form of the command resets the global keepalive frequency to 5 seconds.

When you configure the keepalive frequency for a TACACS+ server, the server keepalive frequency overrides the global keepalive frequency.

To apply a global attribute to a configured CSS TACACS+ server and have it take effect immediately, you must remove the server and then reconfigure it.

CSCea10851 - The CSS primary authentication method should be consistent with Cisco IOS. If the primary authentication method is TACACS/RADIUS and the server rejects the login, the secondary/tertiary method is not tried. If the server is not responding, the secondary/tertiary method is tried. If the primary authentication method is LOCAL, the secondary/tertiary method is tried only if the username is not in the local database.

can you please tell which version of css you are using.

If this will also not solve your problem please revert back without any hesitation. i will try my level best to troubleshoot for you..

kind regards.