Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WAAS and TACACS authentication

Hello team,

I configured my WAAS devices to auth against the tacacs server but unfortunately it is not working. Here are the steps that I completed so far:

- created new account at tacacs server

- configured new user on CM (My WAN > Admin) and associated it with admin role

- configured TACACS server properties (WAE > Configure > Security > AAA > TACACS+) like security word and IP addresses under specific device

- configured auth methods (WAE > Configure > Security > AAA > Authentication Methods) to use TACACS as the primary one and local as the secondary under specific device

However when I telnet to the box I am not able auth with my login credentials. I checked the logs from WAE and found following:

%WAAS-UNKNOWN-1-
899999: ### pam_unix: _unix_verify_password  check pass; user unknown

I would like to ask you how is this authentication done exactly. Am I authenticated against the TACACS only or also against CM when I telnet to the box? In other words, do I have to create new user on CM to be able to auth when accessing CLI? Am I authenticated against tacacs when accessing CM WEB GUI ?

In addition, are there any special requirements when creating new user on tacacs server please ?

Many thanks for your help!

Regards,

Stan

2 REPLIES
Cisco Employee

Re: WAAS and TACACS authentication

Am I authenticated against the TACACS only or also against CM when I telnet to the box?

You are authenticated only against the TACACS.

Check on the TACACS server if any request has happened and eventually why it failed.

In other words, do I have to create new user on CM to be able to auth when accessing CLI? Am I authenticated against tacacs when accessing CM WEB GUI ?

You do not have to configure another user on the CM, users are configured on the TACACS. CM Web GUI user will be local unless you configure the CM to authenticate on a TACACS server.

Cisco Employee

Re: WAAS and TACACS authentication

Hi Stan,

WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.

There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.

On TACACS side:

1. Please make sure to create right username.

2. Please make sure to verify if you are using ASCII password authentication.

3. Try to use less than 15 letters - Alphanumeric TACACS password.

4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.

5. Verify if this user needs level 15 (admin equivalent account).

On WAE CM side:

1. Please make sure to select right authentication method as primary and secondary.

2. Please make sure to enable the check box for authentication methods.

You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.

I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings

Hope this helps.

Regards.

PS: Please mark this as Answered, if this resolves your issue.

2060
Views
0
Helpful
2
Replies
CreatePlease to create content