Topic '[Config] cisco tacacs' in forum 'Cisco' - dslreports.com

Re: [Config] cisco tacacs

Mon, 07 Mar 2005 15:32:16 EDT

LilYoda posted : Router config

aaa new-model
aaa authentication fail-message #
Authentication failed.
#
aaa authentication login default line
aaa authentication login TACACS group tacacs+  line
aaa authorization config-commands
aaa authorization console
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
tacacs-server host 192.168.X.X
tacacs-server key XYZXYZXYZXYZYXYZ
line con 0
 login authentication TACACS
line aux 0
 login authentication TACACS
line vty 0 4
 login authentication TACACS

On the Tacacs server (exemple with a tac_plus server)

key = "XYZXYZXYZXYZYXYZ"
group = admin {
        default service = permit
        service = exec {
                priv-lvl=15
                }
        service = shell {
                priv-lvl=15
                }
        }
user = admin {
        login = cleartext XXXXXXXX
        member = admin
        }

This will put you in enable mode directly when you login as admin
It will also default to line password when the tacacs server is unreachable.

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 22:23:26 EDT

rolande posted : You have TACACS set to only trigger for enable mode. Are you sure you have the right userID and password? Second, I believe you have to give Privilege 15 rights to the user on your TACACS server, when you set it for enable mode authentication.
--
Ignorance is temporary...stupidity lasts forever!

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 19:37:47 EDT

jvltech posted : ok I can log into my router but when I try to enable it gives me an Error in authenication. Any ideas?

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 19:25:17 EDT

jvltech posted : I rebooted my linux server and now it is working :)

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 18:16:10 EDT

jvltech posted : Here is what my logging on the router is showing. Any help?

03:10:38: TPLUS: Queuing AAA Authentication request 25 for processing
03:10:38: TPLUS: processing authentication start request id 25
03:10:38: TPLUS: Authentication start packet created for 25()
03:10:38: TPLUS: Using server 192.168.1.102
03:10:38: TPLUS(00000019): connected to server 192.168.1.102
03:10:38: TPLUS: response received for AAA request 25
03:10:38: TPLUS: Received authentication response with status FAIL
03:10:40: TPLUS: Queuing AAA Authentication request 25 for processing
03:10:40: TPLUS: processing authentication start request id 25
03:10:40: TPLUS: Authentication start packet created for 25()
03:10:40: TPLUS: Using server 192.168.1.102
03:10:40: TPLUS(00000019): connected to server 192.168.1.102
03:10:40: TPLUS: response received for AAA request 25
03:10:40: TPLUS: Received authentication response with status FAIL
03:10:42: TPLUS: Queuing AAA Authentication request 25 for processing
03:10:42: TPLUS: processing authentication start request id 25
03:10:42: TPLUS: Authentication start packet created for 25()
03:10:42: TPLUS: Using server 192.168.1.102
03:10:42: TPLUS(00000019): connected to server 192.168.1.102
03:10:42: TPLUS: response received for AAA request 25
03:10:42: TPLUS: Received authentication response with status FAIL

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 17:51:02 EDT

jvltech posted : now i get garbage on the screen and when I hit authorization failed.

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 17:08:22 EDT

rolande posted : Are you running TACACS on the default TCP port 49 on your Linux server? If not, then this is your problem. Either change the listening port on your server to TCP 49 or change your router to use the port your server is listening on like the example below.

tacacs-server host 192.168.1.102

--
Ignorance is temporary...stupidity lasts forever!

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 16:42:14 EDT

jvltech posted : the passwords are just temporary and it is on a temp network not attached to anything right now. I will try to find the tacacs log and see if it shows anything. I am not useing any source address filtering in my config.

Re: [Config] cisco tacacs

Sun, 06 Mar 2005 16:37:08 EDT

rolande posted : First of all, please remove any and all passwords, especially your enable secret from the config above. Secondly, have you looked at the log for TACACS on your Linux server? I don't think you are successfully communicating with the TACACS server. Does the TACACS server use source address filtering? If so, make sure that it is accepting connections from your router's IP address.
--
Ignorance is temporary...stupidity lasts forever!

[Config] cisco tacacs

Sun, 06 Mar 2005 16:32:15 EDT

jvltech posted : I just setup up tacacs+ on redhat and having issues.What am I missing?

Here is my config and the debug

hostname Home
!
logging rate-limit console 10 except errors
aaa new-model
!
!
aaa authentication login tac group tacacs+ enable
aaa authentication enable default group tacacs+ enable
enable secret 5 Password Removed
enable password 7 Password Removed
!
username cisco password 7 Password Removed

interface Ethernet0
ip address 192.168.1.105 255.255.255.0
no cdp enable
tacacs-server host 192.168.1.102
tacacs-server timeout 15
tacacs-server key cisco
!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login authentication tac

Home#debug tacacs
TACACS access control debugging is on
Home#
00:22:47: TPLUS: Queuing AAA Authentication request 7 for processing
00:22:47: TPLUS: processing authentication start request id 7
00:22:47: TPLUS: Authentication start packet created for 7()
00:22:47: TPLUS: Using server 192.168.1.102
00:22:47: TPLUS(00000007): Select released but nopeername.. Failover

**sensitive info removed -nozero...