Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1766
Views
20
Helpful
17
Replies

Authentication via TACACS issue

CiscoPurpleBelt
Level 6
Level 6

‎02-23-2018 05:44 AM - edited ‎03-08-2019 02:00 PM

I re-ip sub-interface g0/0.1 from let's say 192.168.0.1 to 10.10.10.1. Now device no longer authenticates to TACACs and it did with no issues before. Server IS STILL pingable. Any help? See applicable configs below.

 

aaa new-model
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

 

ip tacacs source-interface g0/2

ip tacacs server host 192.168.0.50

ip tacacs-server key 7 XXXXXXXXX

 

 

Labels:
0 Helpful
17 Replies 17

Reza Sharifi
Hall of Fame
Hall of Fame

‎02-23-2018 06:17 AM

ip tacacs source-interface g0/2

Is the source still g0/2?

HTH

CiscoPurpleBelt
Level 6
Level 6
In response to Reza Sharifi

‎02-23-2018 07:36 AM

Yes it is.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎02-23-2018 07:49 AM

If the configured source interface for TACACS is g0/2 then when you ping the server to test reachability are you specifying the source address of the ping as g0/2?

 

 

HTH

 

Rick

HTH

Rick
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎02-23-2018 06:25 AM

I have two questions:

1) what are 192.168.0.1 and 10.10.10.1?

2) the original poster says " Now device no longer authenticates to TACACs and it did with no issues before" so what changed?

 

HTH

 

Rick

HTH

Rick

CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎02-23-2018 07:36 AM

Hi sorry I re-ip sub-interface g0/0.1 on the router from 192.168.0.1 to 10.10.10.1 and now the router no longer authenticates to tacacs.
0 Helpful

Georg Pauwen
VIP
VIP

‎02-23-2018 06:26 AM

Post the full config. Is the tacacs server reachable from 10.10.10.1 ?

0 Helpful

CiscoPurpleBelt
Level 6
Level 6
In response to Georg Pauwen

‎02-23-2018 09:45 AM

I am sorry I can post the full config but I have some pertaining configs below. Yes the tacacs server is reachable.

aaa new-model
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



ip tacacs source-interface g0/2

ip tacacs server host 192.168.0.50

ip tacacs-server key 7 XXXXXXXXX
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎02-23-2018 09:55 AM

If you changed an interface address but it was not the interface used as the source for communication with the TACACS server, and if the TACACS server is pingable using G0/2 as the source then I am puzzled at why it does not work. I suggest turning on debug for aaa authentication and debug for tacacs, attempt to authenticate and post the debug output. It might also be helpful if you post the output of show tacacs.

 

HTH

 

Rick

HTH

Rick
0 Helpful

heath762
Level 1
Level 1

‎02-23-2018 10:27 AM

Does the tacacs server have an "allowed" list for devices trying to reach the TACACS service?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to heath762

‎02-23-2018 10:45 AM

Whether the tacacs server has an allowed list is a reasonable question, and I look forward to the response from the original poster. Given what is reported so far

- the device was successful in authenticating with tacacs

- an interface IP was changed

- the interface that changed is not the interface configured as the source for tacacs

it seems reasonable to assume that the response from the original poster will be that an allowed list is not the problem here.

 

HTH

 

Rick

HTH

Rick
0 Helpful

heath762
Level 1
Level 1
In response to Richard Burts

‎02-23-2018 11:10 AM

Sorry, I glanced at this question and missed the source interface(gi0/2) line was different than the interface that changed (gi0/0.1).

What is the config of gi0/2? Does it have an ip address? is it in up/up state?

"The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state."


It is curious that the subinterface that was changed appears to be in the same class C as the tacacs server.

It would be useful to see the failure logs of the tacacs server to see what address it is trying to use, and the failure code.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to heath762

‎02-23-2018 12:52 PM

I had missed the relationship that the "old" interface address was in the same subnet as the tacacs server. Originally the server would have been seen as a locally connected device and now it is a remote resource. At first I thought this might explain the problem. But with the tacacs source interface configured the tacacs request would still have the same source address. And the original poster tells us that the tacacs server is still pingable. So the change from locally connected to remotely connected does not seem to be directly the cause of the problem. Though it does raise the possibility that something on the routed path to the tacacs server has some policy that is allowing ping to the server but not allowing tacacs requests to go through.

 

I agree that we need a better understanding of what is going on with the tacacs server. What does the router report about the state of tacacs? And what do the logs on the server say about attempts from this router?

 

HTH

 

Rick 

HTH

Rick

CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎02-23-2018 01:24 PM


Having a little difficulty getting some good info, but..
The page for Monitoring and Reports won't even launch from the TACACs GUI.
I do "show tacacs" and see 14 failed connection attempts.
I do debug tacacs and debug aaa authentication and don't see any messages when I try and authenticate.
I am not sure of the group pw now to do the test aaa commands.
I do traceroute to the tacacs server which is on the 192. network and it fails after the first hop which is the connecting router.
Anything else you think I can try for now?
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎02-23-2018 01:55 PM

Thanks for the additional information. The number of failed connection attempts does seem to indicate that we are having problems communicating with the server. I am quite puzzled why traceroute would fail after the first hop if ping succeeds.

 

You say that the device at the first hop is the connecting router. Does that router also authenticate using tacacs? Does it use the same address for tacacs as the router in question here? If you traceroute from the connecting router to the tacacs server what results do you get?

 

HTH

 

Rick

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card