Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
1
Replies

TACACS Configs on a VPN Router

wongn
Level 1
Level 1

‎07-29-2002 11:53 AM - edited ‎02-21-2020 11:57 AM

I'm trying to configure TACACS on a router which already has configured.

VPN is working and internal clients can browse the internet.

I've added the TACACS comands, I can not get the TACACS server to authenticate properly. This is what i'm receiving from 'debug aaa authentication' :

18w1d: AAA: parse name=FastEthernet0/1 idb type=-1 tty=-1

18w1d: AAA: name=FastEthernet0/1 flags=0x15 type=6 shelf=0 slot=0 adapter=0 port=1 channel=0

18w1d: AAA: parse name=<no string> idb type=-1 tty=-1

18w1d: AAA/MEMORY: create_user (0x81AE9B68) user='' ruser='' port='FastEthernet0/1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=0

18w1d: AAA/AUTHEN/START (365031532): port='FastEthernet0/1' list='default' action=LOGIN service=LOGIN

18w1d: AAA/AUTHEN/START (365031532): found list default

18w1d: AAA/AUTHEN/START (365031532): Method=LOCAL

18w1d: AAA/AUTHEN (365031532): status = GETUSER

18w1d: AAA/AUTHEN/CONT (365031532): continue_login (user='(undef)')

18w1d: AAA/AUTHEN (365031532): status = GETUSER

18w1d: AAA/AUTHEN/CONT (365031532): Method=LOCAL

18w1d: AAA/AUTHEN (365031532): User not found, emulating local-override

18w1d: AAA/AUTHEN (365031532): status = ERROR

18w1d: AAA/AUTHEN/START (1108177767): port='FastEthernet0/1' list='' action=LOGIN service=LOGIN

18w1d: AAA/AUTHEN/START (1108177767): Restart

18w1d: AAA/AUTHEN/START (1108177767): Method=RTP (tacacs+)

18w1d: TAC+: send AUTHEN/START packet ver=192 id=1108177767

18w1d: AAA/AUTHEN (1108177767): status = ERROR

18w1d: AAA/AUTHEN/START (1108177767): Method=NONE

18w1d: AAA/AUTHEN (1108177767): status = PASS

18w1d: AAA/MEMORY: free_user (0x81AE9B68) user='john' ruser='' port='FastEthernet0/1' rem_addr='x.x.x.x' authen_type=ASCII service=LOGIN priv=0

Labels:
0 Helpful
1 Reply 1

yusuff
Cisco Employee
Cisco Employee

‎07-30-2002 04:07 AM

From the debugs above it looks like when you try to access the router, the default method used is LOCAL and since the user is not found in local router database, it then uses the next method which is TACACS+.

Furthermore,, when using TACACS+ method the status return code is ERROR, which indicates that the TACACS+ server was not reachable. Check if you can ping the TACACS+ server from the router, if that is fine, increase the TACACS+ timeout using following command;

tacacs-server timeout 10 (default is 5 seconds)

maybe there is some latency issue b/w the router and your server.

if that doesn't help, check the logs on the TACACS+ server and see if the requests are ever making to it, and maybe you will get some indication of what the problem is. Are you sourcing tacacs-server on the router with some interface, if yes, make sure the NAS entry on the server is same as the source interface on the router.

HTH

R/Yusuf

0 Helpful
Customers Also Viewed These Support Documents