Solved: Re: Tacacs not loging

Mero Cisco · ‎10-14-2013

Hi,

I have implemented OSPF and configured tacacs server for central logging and it worked fine. Now, I have changed the dynamic routing protocol to EIGRP but I couldn't get the username and password screen while trying to loging to router. When I try to login the router asks for password not the username. The EIGRP is working fine but tacacs is not working. What may be the problem ? Please help.

Regards,

Mero

ashirkar · ‎10-20-2013

Hi mero ,

Can you please check this command output on your router

test aaa group tacacs+ legacy

Regards,

Ashish Shirkar

View solution in original post

Richard Burts · ‎10-20-2013

The debug output that Mero posted seems to show that TACACS is working see especially this line

*Oct 19 05:38:11.167: AAA/AUTHEN/ENABLE(00000016): Done status PASS

and this one

*Oct 19 05:38:15.551: AAA/AUTHEN(3964033291): Status=PASS*Oct 19 05:38:15.555:

So it makes me want to ask Mero for some clarification of what is happening. When I read the original post again I think that it does not say that TACACS is not working but the issue seems to be that he is prompted only for a password and not for a user name. So I would ask Mero when you put in t a password is it the password associated with your user ID or is it the enable password?

I know that if I have logged in to a router or switch which has authenticated me and then I initiate SSH to another router or switch then I am not prompted for username but am prompted only for a password. I wonder if this is what is happening to Mero.

HTH

Rick

HTH

Rick

View solution in original post

cadet alain · ‎10-14-2013

Hi,

Can you post the aaa config along with tacacs config as well as sh ip route output.

Regards

Alain

Don't forget to rate helpful posts.

Mero Cisco · ‎10-15-2013

Hi Alain,

Please look at the following config files:

Router1# show run

Building configuration...

aaa new-model

!

aaa authentication login vtymethod group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default stop-only group tacacs+

!

aaa session-id common

!

tacacs-server host y.y.y.y

tacacs-server directed-request

tacacs-server key adklfna;dnf

ip tacacs source-interface Loopback0

line vty 0 4

password sfafasf

logging synchronous

login authentication vtymethod

transport input telnet ssh

Router1# show ip route

D*EX 0.0.0.0/0 [170/258816] via x.x.x.x, 00:01:26, FastEthernet0/1

Regards,

Mero

cadet alain · ‎10-15-2013

Hi,

Can you ping the tacacs server sourcing from loopback0 ?

Regards

Alain

Don't forget to rate helpful posts.

ashirkar · ‎10-15-2013

Hi Mero,

It seems like your tacacs server is unreachable,Try to ping your tacacs server with source loopback 0.As your tacacs server unreachable, devices are asking for password configured under line vty statement.

Regards,

Ashish Shirkar

Richard Burts · ‎10-15-2013

Mero tells us that this problem started when he changed from using OSPF to using EIGRP. I wonder if perhaps he does not have a network statement that includes his loopback address? Perhaps he can provide clarification on this?

HTH

Rick

HTH

Rick

Mero Cisco · ‎10-16-2013

Hi Everyone,

I can ping from the loopback interface, what may be the problem?

Regards,

Mero

Richard Burts · ‎10-16-2013

Mero

Is it possible that while changing the routing protocol that you also changed the IP address of the loopback interface?

It might shed some light on the issue if you post the output of show tacacs.

If that does not identify the problem then I would ask that you run debug aaa authentication and debug tacacs and to post the output of debug generated when you attempt to login and to authenticate.

HTH

Rick

HTH

Rick

Mero Cisco · ‎10-18-2013

Hi Burts,

Thanks for your kind reply. Please read the following output:

Router1#show tacacs

Tacacs+ Server : x.x.x.x/49

Socket opens: 145

Socket closes: 145

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 58

Total Packets Sent: 51

Total Packets Recv: 49

Debugging Output:

*Oct 19 05:38:08.499: AAA/BIND(00000016): Bind i/f

*Oct 19 05:38:08.499: AAA/AUTHEN/LOGIN (00000016): Pick method list 'vtymethod'

*Oct 19 05:38:08.499: TPLUS: Queuing AAA Authentication request 22 for processing

*Oct 19 05:38:08.503: TPLUS: processing authentication start request id 22

*Oct 19 05:38:08.503: TPLUS: Authentication start packet created for 22()

*Oct 19 05:38:08.503: AAA/AUTHEN/ENABLE(00000016): Processing request action LOGIN

*Oct 19 05:38:08.503: AAA/AUTHEN/ENABLE(00000016): Done status GET_PASSWORD

*Oct 19 05:38:11.151: AAA/AUTHEN/ENABLE(00000016): Processing request action LOGIN

*Oct 19 05:38:11.167: AAA/AUTHEN/ENABLE(00000016): Done status PASS

*Oct 19 05:38:11.171: TPLUS: Queuing AAA Authorization request 22 for processing

*Oct 19 05:38:11.171: TPLUS: processing authorization request id 22

*Oct 19 05:38:11.171: TPLUS: Protocol set to None .....Skipping

*Oct 19 05:38:11.171: TPLUS: Sending AV service=shell

*Oct 19 05:38:11.171: TPLUS: Sending AV cmd*

*Oct 19 05:38:11.171: TPLUS: Authorization request created for 22()

*Oct 19 05:38:12.391: AAA: parse name=tty195 idb type=-1 tty=-1

*Oct 19 05:38:12.391: AAA: name=tty195 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=195 channel=0

*Oct 19 05:38:12.391: AAA/MEMORY: create_user (0x63D52928) user='NULL' ruser='NULL' ds0=0 port='tty195' rem_addr='x.x.x.x' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

*Oct 19 05:38:12.391: AAA/AUTHEN/START (3964033291): port='tty195' list='' action=LOGIN service=ENABLE

*Oct 19 05:38:12.391: AAA/AUTHEN/START (3964033291): non-console enable - default to enable password

*Oct 19 05:38:12.391: AAA/AUTHEN/START (3964033291): Method=ENABLE

*Oct 19 05:38:12.391: AAA/AUTHEN(3964033291): Status=GETPASS

*Oct 19 05:38:15.535: AAA/AUTHEN/CONT (3964033291): continue_login (user='(undef)')

*Oct 19 05:38:15.535: AAA/AUTHEN(3964033291): Status=GETPASS

*Oct 19 05:38:15.535: AAA/AUTHEN/CONT (3964033291): Method=ENABLE

*Oct 19 05:38:15.551: AAA/AUTHEN(3964033291): Status=PASS*Oct 19 05:38:15.555: AAA/MEMORY: free_user (0x63D52928) user='NULL' ruser='NULL' port='tty195' rem_addr='x.x.x.x' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

Please help,

Mero

ashirkar · ‎10-20-2013

Hi mero ,

Can you please check this command output on your router

test aaa group tacacs+ legacy

Regards,

Ashish Shirkar

Richard Burts · ‎10-20-2013

The debug output that Mero posted seems to show that TACACS is working see especially this line

*Oct 19 05:38:11.167: AAA/AUTHEN/ENABLE(00000016): Done status PASS

and this one

*Oct 19 05:38:15.551: AAA/AUTHEN(3964033291): Status=PASS*Oct 19 05:38:15.555:

So it makes me want to ask Mero for some clarification of what is happening. When I read the original post again I think that it does not say that TACACS is not working but the issue seems to be that he is prompted only for a password and not for a user name. So I would ask Mero when you put in t a password is it the password associated with your user ID or is it the enable password?

I know that if I have logged in to a router or switch which has authenticated me and then I initiate SSH to another router or switch then I am not prompted for username but am prompted only for a password. I wonder if this is what is happening to Mero.

HTH

Rick

HTH

Rick