[HELP] TACACS Switch Configuration
I am testing out my TACACS+ configs but I am running into some issues here. I got it to work on all my Lab routers but I am running into issues on our switches. I have a lab router that is directly connected to a 2690 48 GigabitEthernet layer two POE switch and my tacacs works just fine. When I hook up a 3500XL switch and use the same tacacs config I cant get tacacs to work. Problem is that we have some 300+ of those older models. What could be causing the problem?
The tacacs and initial config is exacly the same
here is the tacacs coinfig that works on the 2960 but not on the 3500 series
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
no aaa accounting exec default start-stop group tacacs+
ip tacacs source-interface Vlan1
tacacs-server host 188.8.131.52
tacacs-server host 184.108.40.206
tacacs-server timeout 1
tacacs-server key 7 0251116905553D021C404D4E370234545115454515C4D5424
line vty 0 4
login authentication default
Several things that come to mind.
* The Catalyst 3500XL switch IOS image does not support TACACS+
* TACACS+ configuration needs adjustment to fit the Catalyst 3500XL old way of thinking
* Routing issue between the switch and the TACACS+ server
* Improper configuration on the TACACS+ server side
|reply to krock83 |
* if the IOS does not support TACACS than I wouldn't be able to apply any of those commands... (right?)
*there is no routing issue... I can get outside and can ping the server and back and fourth, if there was a routing issue I wouldn't be able to get the newer switch to authenticate, or the router.
* If it was improper configuration on the TACACS server then the router and the 2960 switch would get tacacs authentication
which leaves only one suspect
*** TACACS+ configuration needs adjustment to fit the Catalyst 3500XL old way of thinking ***
anyone know what that might be... I looked it up on google but didn't come up with anything for 3500...
I never personally worked with 3500XL so I can't tell you specific 3500XL TACACS+ config. As a note I don't usually put any AAA-related configuration under the line vty config since such configuration I believe only work on newer platform. Regardless you can check out this forum's FAQ for TACACS+ sample configuration for IOS-based appliances to get some idea.
»Cisco Forum FAQ »Securing access to routers with AAA commands
You can also do some packet capture on the TACACS+ server side to see if there is anything funky going on.
|reply to krock83 |
here is what I got
03:14:38: TAC+: send AUTHEN/START packet ver=192 id=3317928431
03:14:38: TAC+: Using default tacacs server-group "tacacs+" list.
03:14:38: TAC+: Opening TCP/IP to 220.127.116.11/49 timeout=1
03:14:38: TAC+: Opened TCP/IP handle 0x729944 to 18.104.22.168/49
03:14:38: TAC+: periodic timer started
03:14:38: TAC+: 22.214.171.124 req=720984 id=3317928431 ver=192 handle=0x729944 (ESTAB) expire=1 AUTHEN/START/LOGIN/ASCII queued
03:14:38: TAC+: 126.96.36.199 (3317928431) AUTHEN/START/LOGIN/ASCII queued
03:14:39: TAC+: 188.8.131.52 ESTAB 720984 wrote 36 of 36 bytes
03:14:39: TAC+: 184.108.40.206 (3317928431) AUTHEN/START/LOGIN/ASCII -- TIMED OUT
03:14:39: TAC+: req=720984 id=3317928431 ver=192 handle=0x729944 (ESTAB) expire=0 AUTHEN/START/LOGIN/ASCII processed
03:14:39: TAC+: (3317928431) AUTHEN/START/LOGIN/ASCII processed
03:14:39: TAC+: periodic timer stopped (queue empty)
03:14:39: TAC+: received bad AUTHEN packet: type = 0, expected 1
03:14:39: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
03:14:39: TAC+: Closing TCP/IP 0x729944 connection to 220.127.116.11/49
03:14:39: TAC+: Using default tacacs server-group "tacacs+" list.
here is a debug from the tacacs server
<87> 2012-05-18 11:01:12 Removing session -1818660128
<87> 2012-05-18 11:02:12 Removed 1 old connections. Remaining connections=0
<94> 2012-05-18 12:53:33 New client connection opened for 172.30.4.7:11029 TID:10
<87> 2012-05-18 12:53:33 TOTAL connections: 1
<87> 2012-05-18 12:53:34 Received 1 packets on connection
<87> 2012-05-18 12:53:34 Length passed does not match source length
<87> 2012-05-18 12:53:34 Could not decode body. Length passed does not match source length
<87> 2012-05-18 12:53:34 Error while receiving data from client Length passed does not match source length. Client might have closed connection.
<94> 2012-05-18 12:53:41 New client connection opened for 172.30.4.7:11030 TID:10
<87> 2012-05-18 12:53:41 TOTAL connections: 2
<87> 2012-05-18 12:53:41 Received 1 packets on connection
<87> 2012-05-18 12:53:41 Could not decode body. Index was outside the bounds of the array.
<87> 2012-05-18 12:53:41 Error while receiving data from client Index was outside the bounds of the array.. Client might have closed connection.
System image file is "flash:c3500XL-c3h2s-mz-120-5.3.WC.1.bin"
I ran Wireshark on the TACAS server and I see it communicate, however it is not authenticating..
instead of configuring the tacacs-server key 7 545456435135153135413.514351 I typed in the normal password (non encrypted one) and it seems to be working now