dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5067
share rss forum feed

krock83

join:2010-03-02

TACACS+ problems

Hello

We are deploying a centralized authentication method in our environment, and I am running into some issues with tacacs server. I have a router in out lab that is local to the network (meaning it resides on the same subnet as the tacacs server 10.10.250.0 network) I am able to authenticate the logon information through the tacacs on that router but my issue is that I cant authenticate the remote router residing on 10.20.245.0 network. When I try to telnet to it it asks me for the local database username and password. When I try to telnet to it via port 49 (tacacs port) I get connection refused by remote host. we allow tcp/udp any any in and out, not blocking any ports on the network. What could be the issue here? Below is the router config for tacacs

aaa new-model
aaa authentication login default group tacacs+ local 
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
 
line vty 0 4 
login authentication default
 
tacacs-server host 10.10.250.51
tacacs-server key 15261E1E0A2F390727212515454245155
ip tacacs source-interface Loopback12
 

the configuration is identical on both local and remote router.. any suggestions? I am able to ping fropm the server to the remote router and from the remote router to the server...

Thanks

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Based on your description, it sounds like there is a block somewhere between the remote router and the server. Here is what I usually do in your situation.

1. Make sure there is no firewall or ACL blocking the TCP port used for TACACS.

2. When I do the traceroute from the router to the server and vice versa, I try to jump into each equipment as noted on the traceroute IP address result and see if there is anything blocking there

3. You can always fire up tcpdump (or Wireshark) to do packet capture on both router and server side to see how the TCP conversation looks like

krock83

join:2010-03-02
reply to krock83
HI,

Thanks for the update looks like im not getting through the ASA and security guy is saying that is not the issue... I have to battle him at that

One more question, I see that I have to specify a source-interface
does this interface have to route to anything or can it be just an virtual interface with an non rotatable block?

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to krock83
Telnet to the destination IP, sourcing from a local interface on the listening port has ALWAYS
been my favorite way to prove (false) claims of network blockage.

I also second aryoba's suggestion of Wireshark.

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4

2 edits
reply to krock83
said by krock83:

I see that I have to specify a source-interface does this interface have to route to anything or can it be just an virtual interface with an non rotatable block?

A TACACS+ source interface has to be reachable through the network from the TACACS+ server's perspective. Best practice is to have a loopback interface as the source interface since the interface never goes down unless the router itself is down. If you use non-loopback interface (i.e. virtual interface) as source interface, then the router may not be able to talk to the TACACS+ server once the non-loopback interface is down hence causing you unable to login using TACACS+ credential.

Since you mention there is a firewall in place (ASA) between the router and the TACACS+ server, make sure the ASA allows the TACACS+ source interface IP address as source IP address to pass through the ASA to reach the destination of the TACACS+ server IP address on TCP port 49 (the TCP port the TACACS+ server uses to talk).

Further, make sure the firewall has sufficient license to pass through the maximum amount of TCP packets the TACACS+ server uses to communicate with its client. If let's say the firewall only has license to pass through a maximum amount of 10 TCP packets and the TACACS+ server uses more than 10 TCP packets to communicate with its client, then the TACACS+ communication breaks.

krock83

join:2010-03-02
reply to krock83
Click for full size
Thanks for the info... we have allowed any network from 172.16.0.0/12 to be able to pass traffic through the ASA on port 49. I belive we have a license big enough to pass tcp traffic through I will check.

I have used Wireshark and this is what I got this
lines 3, 5, 6, 10, and 13 are the IP addresse of the tacacs source loopback so it is getting there picture is above

when I do term mon and debug tacacs packets this is what I get

so here is what I got by doing that

this comes up as soon as I try to connect to the host

IT_LAB-TACACS+#term mon
IT_LAB-TACACS+#debug tacacs packet
TACACS+ packets debugging is on
IT_LAB-TACACS+#
IT_LAB-TACACS+#
*Apr 11 18:55:17.531: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
*Apr 11 18:55:17.531: T+: session_id 974847808 (0x3A1AFF40), dlen 26 (0x1A)
*Apr 11 18:55:17.531: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
*Apr 11 18:55:17.531: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
*Apr 11 18:55:17.531: T+: user:  
*Apr 11 18:55:17.531: T+: port:  tty194
*Apr 11 18:55:17.531: T+: rem_addr:  172.18.36.64
*Apr 11 18:55:17.531: T+: data:  
*Apr 11 18:55:17.531: T+: End Packet
IT_LAB-TACACS+#
 

This comes up when I try to use my tacacs username and pw

CODE --> =
*Apr 11 18:55:38.139: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
*Apr 11 18:55:38.139: T+: session_id 493164964 (0x1D6519A4), dlen 26 (0x1A)
*Apr 11 18:55:38.139: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
*Apr 11 18:55:38.139: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
*Apr 11 18:55:38.139: T+: user:  
*Apr 11 18:55:38.139: T+: port:  tty194
*Apr 11 18:55:38.139: T+: rem_addr:  172.18.36.64
*Apr 11 18:55:38.139: T+: data:  
*Apr 11 18:55:38.139: T+: End Packet
IT_LAB-TACACS+#
IT_LAB-TACACS+#sh tacacs 
 
Tacacs+ Server            : 172.30.1.61/49
              Socket opens:         14
             Socket closes:         14
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          2
   Failed Connect Attempts:          0
        Total Packets Sent:         13
        Total Packets Recv:          0
 
IT_LAB-TACACS+#
 

On this router I am running DMVPN config.. any ideas?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Some questions to clarify

1. How did you get the Wireshark result? Did you run it on the TACACS+ server itself?

2. I notice on the Wireshark result that the destination IP address is 172.30.2.70. I also notice the TACACS+ server IP address on the router configuration (your OP) is 10.10.250.51. Which one is the correct TACACS+ server IP address I wonder?

3. Did you check the TACACS+ server log to see if the server saw some errors?

krock83

join:2010-03-02

1 edit
reply to krock83
Yes I ran Wireshark on the TACACS+ server itself

I changed the tacacs source interface to lo2100 = 172.30.2.70 and the tacacs server ip is 172.30.1.61 trying to connect to router 172.30.1.1.

I did not check the tacacs logs I can do that and will let you know what I see

krock83

join:2010-03-02
reply to krock83
here is the log of the tacacs server that was run durring the connection time...

<94> 2012-04-11 13:31:06 Server was started. Initializing server
<87> 2012-04-11 13:31:06 Local address and port : 172.30.1.61 49
<94> 2012-04-11 13:31:11 New client connection opened for 172.30.2.70:59947 TID:6
<87> 2012-04-11 13:31:11 TOTAL connections: 1
<87> 2012-04-11 13:31:11 Received 1 packets on connection
<87> 2012-04-11 13:31:11 Length passed does not match source length
<87> 2012-04-11 13:31:11 Could not decode body. Length passed does not match source length
<87> 2012-04-11 13:31:11 Error while receiving data from client Length passed does not match source length. Client might have closed connection.
<94> 2012-04-11 13:31:44 New client connection opened for 172.30.2.70:60617 TID:8
<87> 2012-04-11 13:31:44 TOTAL connections: 2
<87> 2012-04-11 13:31:44 Received 1 packets on connection
<87> 2012-04-11 13:31:44 Could not decode body. Source array was not long enough. Check srcIndex and length, and the array's lower bounds.
<87> 2012-04-11 13:31:44 Error while receiving data from client Source array was not long enough. Check srcIndex and length, and the array's lower bounds.. Client might have closed connection.
<94> 2012-04-11 13:31:46 New client connection opened for 172.30.2.70:32039 TID:8
<87> 2012-04-11 13:31:46 TOTAL connections: 3
<87> 2012-04-11 13:31:46 Received 1 packets on connection
<87> 2012-04-11 13:31:46 Length passed does not match source length
<87> 2012-04-11 13:31:46 Could not decode body. Length passed does not match source length
<87> 2012-04-11 13:31:46 Error while receiving data from client Length passed does not match source length. Client might have closed connection.
<87> 2012-04-11 13:32:06 Removed 3 old connections. Remaining connections=0
<94> 2012-04-11 13:32:52 New client connection opened for 172.30.2.70:33167 TID:8
<87> 2012-04-11 13:32:52 TOTAL connections: 1
<87> 2012-04-11 13:32:52 Received 1 packets on connection
<87> 2012-04-11 13:32:52 Length passed does not match source length
<87> 2012-04-11 13:32:52 Could not decode body. Length passed does not match source length
<87> 2012-04-11 13:32:52 Error while receiving data from client Length passed does not match source length. Client might have closed connection.
<87> 2012-04-11 13:33:06 Removed 1 old connections. Remaining connections=0
<94> 2012-04-11 13:36:51 New client connection opened for 172.30.2.70:62061 TID:8
<87> 2012-04-11 13:36:51 TOTAL connections: 1
<87> 2012-04-11 13:36:51 Received 1 packets on connection
<87> 2012-04-11 13:36:51 Length passed does not match source length
<87> 2012-04-11 13:36:51 Could not decode body. Length passed does not match source length
<87> 2012-04-11 13:36:51 Error while receiving data from client Length passed does not match source length. Client might have closed connection.
<94> 2012-04-11 13:37:03 New client connection opened for 172.30.2.70:20627 TID:8
<87> 2012-04-11 13:37:03 TOTAL connections: 2
<87> 2012-04-11 13:37:03 Received 1 packets on connection
<87> 2012-04-11 13:37:03 Could not decode body. Index was outside the bounds of the array.
<87> 2012-04-11 13:37:03 Error while receiving data from client Index was outside the bounds of the array.. Client might have closed connection.
<94> 2012-04-11 13:37:05 New client connection opened for 172.30.2.70:45780 TID:8
<87> 2012-04-11 13:37:05 TOTAL connections: 3
<87> 2012-04-11 13:37:05 Received 1 packets on connection
<87> 2012-04-11 13:37:05 Length passed does not match source length
<87> 2012-04-11 13:37:05 Could not decode body. Length passed does not match source length
<87> 2012-04-11 13:37:05 Error while receiving data from client Length passed does not match source length. Client might have closed connection.
<87> 2012-04-11 13:37:06 Removed 1 old connections. Remaining connections=2
<94> 2012-04-11 13:37:28 New client connection opened for 172.30.2.70:57800 TID:8
<87> 2012-04-11 13:37:28 TOTAL connections: 3
 

aryoba
Premium,MVM
join:2002-08-22
kudos:4
It looks like there is something misconfigured on the TACACS+ server itself. If I were you, I would check the TACACS+ server setup.

Btw, what kind of TACACS+ server do you use? Cisco ACS? Linux?

krock83

join:2010-03-02
reply to krock83
I will check that out...

we are using a free version of tacacs+ from tacacs.net, I have never dealt with this before and I was told that there was not enough $$$ in the budget this year fora Cisco ACS. So now I have to figure something out that I never worked with..


battleop

join:2005-09-28
00000
This is what we use. I've got it running on a dell 1850 that's running Ubuntu 8.04LTS. I've got a similar setup running on a VM so I am getting two copies of everything.

»www.debian-administration.org/articles/429
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

krock83

join:2010-03-02
reply to krock83
this looks like its for a LInux/UNix box... we are strictly a Windows/Cisco shop