Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS config

I have a pair of ACS Servers setup. I can setup my 3750's to authenticate to the servers, however I can't get my 6500's to. This is the output from my debugs.

001589: Sep 14 15:16:54: TAC+: Using default tacacs server-group "tacacs+" list.

001590: Sep 14 15:16:54: TAC+: Opening TCP/IP to 10.36.11.30/49 timeout=5

001591: Sep 14 15:16:54: TAC+: Opened TCP/IP handle 0x4525CEF8 to 10.36.11.30/49

001592: Sep 14 15:16:54: TAC+: 10.36.11.30 (1985811061) AUTHEN/START/LOGIN/ASCII queued

001593: Sep 14 15:16:54: TAC+: (1985811061) AUTHEN/START/LOGIN/ASCII processed

001594: Sep 14 15:16:54: TAC+: received bad AUTHEN packet: type = 0, expected 1

001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)

I have checked the config several times. I belive it is correct. Any Idea? HELP!

18 REPLIES
New Member

Re: ACS config

I can send u configs I use that work. Do u need the Router IOS side or Switch SET cmds side. jay.rusek@ps.net

New Member

Re: ACS config

Jay,

We need Router IOS.

Thanks very much!

Pete

Hall of Fame Super Gold

Re: ACS config

Looking at the last error message I get the feeling that you need to check carefully to verify that you have configured the same key on both devices.

001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)

I have received this error message before and it was in fact an issue with mismatched keys.

HTH

Rick

New Member

Re: ACS config

Rick,

I did check the keys and I reset them. I know they match. I do have 3750's running with the same setup, and they work.

Pete

Hall of Fame Super Gold

Re: ACS config

Pete

If you are sure that the key on the 6500 is the same as the key defined on the tacacs server for that device then we will look for other explanations.

Do the logs on 10.36.11.30 show the incoming request and how the server responded?

HTH

Rick

New Member

Re: ACS config

I have exactly the same problem with two 6509s with IOS 12.2(17d)SXB10. Were you able to resolve this ??

Hall of Fame Super Gold

Re: ACS config

If you have the same problem, then I would ask you most of the same questions.

- would you verify that the key value used on the 6500 is exactly the same as the key value used in the authentication server?

- are there log messages on the authentication server? Does the server see the authentication request? and if it does see the request, how does the authentication server think that it responded?

HTH

Rick

New Member

Re: ACS config

All,

The problem was resolved by adding this command

"ip tacacs source-interface Loopback0"

Since I have many segments on the 6500 I had to specify the Loopback as the interface to use.

Sorry I didn't post this sooner.

PEte

Hall of Fame Super Gold

Re: ACS config

Pete

Thanks for posting back to the forum. I am glad to know that we were able to help. It is useful to know that an issue was resolved and what was done to solve the problem.

I believe that this is a fairly common potential problem when a router has more than one interface that could send the request to TACACS. Unless you do specify the source interface the router will default to using the IP of the outbound interface as the source address in the TACACS request. Since ACS/TACACS can specify only a single address for a requestor the router needs to use the same source address for every request. You found the optimum solution for this situation.

People reading this forum should pay attention to this potential problem and how to resolve it as Pete has discovered.

HTH

Rick

New Member

Re: ACS config

I substituted vlan1 in the command since theres no loopback0, and it doesnot work. Any clues?? Here is my complete tacacs config: Can you please post your tacacs config ?

aaa authentication login default group tacacs+ line enable none

aaa authentication login no_tacacs line none

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

ip tacacs source-interface Vlan1

tacacs-server host 10.177.x.x

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key 7 xxxxx

appreciate your help.

Hall of Fame Super Gold

Re: ACS config

I have looked at the part of the config that you posted and I do not see any obvious errors. I do notice the line that specifies:

aaa authentication login no_tacacs line none

and I wonder how you have applied the no_tacacs method of authentication.

I would suggest several things you can do to help troubleshoot this problem.

- you have specified that the switch MSFC use the IP address of VLAN 1 as the source address of its TACACS packets. Can you verify that the TACACS server is configured to process this device at that address?

- can you verify that the key defined on the switch MSFC matches the key defined on the TACACS server?

- can you verify IP connectivity between the switch MSFC and the TACACS server by doing an extended ping on the MSFC? In the extended ping specify the TACACS server as the destination and specify VLAN 1 as the source address.

- can you look in the logs on the TACACS server and verify whether the server sees the authentication request? And if it sees the authentication request how does it think that it responded? (This is perhaps the most crucial part of the troubleshooting procedure that I am suggesting).

If you can do these things we may be much closer to being able to identify the source of your problem.

HTH

Rick

New Member

Re: ACS config

to quote you: "Can you verify that the TACACS server is configured to process this device at that address?"

- How do i do that ?? I did not think I need such config. No other switch required such config.

- Key is correct, and is the same as in other switches where it works.

- tacacs server is reachable thru extended ping with source address of vlan1.

- tacacs server 'failed attempts log' has two lines for each attempt:

Bad request from NAS

Authen failed Key Mismatch

- Whats 'bad request' mean ??

- Debug messages point to invalid length of packets.

- the debug shows the messages same as posted in the first message of this conversation.

- This is only happening with my two 6509s that have IOS: s72033-pk9sv-mz.122-17d.SXB10

New Member

Re: ACS config

I fixed it !!

tacacs-server key key-value

fixes it. Key-value = '7 encrypted-value' did not work. What works is: key-value = unencrypted value without a 0 before it.

Hall of Fame Super Gold

Re: ACS config

I am glad that you fixed the problem. Mismatched key between the MSFC and the server was one of the possibilities that I pointed out.

If your config had key 7 encrypted-value and you fixed it by entering the key as clear-text, would I be correct in assuming that you did a cut and paste from a router that was working to these MSFC?

HTH

Rick

New Member

Re: ACS config

Hi, I am having a similar problem with a SAN switch 9216i. I am getting the key mismatch on the ACS Server(3.2) when i try log into the switch. I have confirmed the key is correct on the SAN switch and the ACS Server. When i try to enter the key as clear text using the 0 value, the switch encrypts the key anyway so although I have typed and retyped the password, I can't phsyically see it when it is on the switch. The config seems pretty basic for the SAN Switch. Here is what I typed in:

tacacs+ enable

tacacs-server timeout 30

tacacs-server key 0 password

tacacs-server host 10.10.10.1

I am using SAN OS version 2.1(1b).

Anybody else seen this before?

New Member

Re: ACS config

What I did was specify the intface to use. So I know what IP to configure on the ACS.

I added this command to the switch config.

ip tacacs source-interface Loopback0

Hall of Fame Super Gold

Re: ACS config

Brian

I am not very fammiliar with the SAN switch, so I can not say if it is common. I would suggest that you try typing the tacacs-server key command without the 0, so just type tacacs-server key

Try it and let us know what happens.

HTH

Rick

New Member

Re: ACS config

Thanks for the replies, I actually got it working by accident. That key error seemed to be a bit of a red-herring because as soon as I added the line aaa authentication login default group ACS, it started to work!

264
Views
0
Helpful
18
Replies
CreatePlease to create content