dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2664
share rss forum feed

jvltech

join:2001-11-06
Charter-WI

2 edits

[Config] cisco tacacs

I just setup up tacacs+ on redhat and having issues.What am I missing?

Here is my config and the debug

hostname Home
!
logging rate-limit console 10 except errors
aaa new-model
!
!
aaa authentication login tac group tacacs+ enable
aaa authentication enable default group tacacs+ enable
enable secret 5 Password Removed
enable password 7 Password Removed
!
username cisco password 7 Password Removed

interface Ethernet0
ip address 192.168.1.105 255.255.255.0
no cdp enable
tacacs-server host 192.168.1.102
tacacs-server timeout 15
tacacs-server key cisco
!
line con 0
exec-timeout 120 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login authentication tac

Home#debug tacacs
TACACS access control debugging is on
Home#
00:22:47: TPLUS: Queuing AAA Authentication request 7 for processing
00:22:47: TPLUS: processing authentication start request id 7
00:22:47: TPLUS: Authentication start packet created for 7()
00:22:47: TPLUS: Using server 192.168.1.102
00:22:47: TPLUS(00000007): Select released but nopeername.. Failover

**sensitive info removed -nozero...


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

1 recommendation

First of all, please remove any and all passwords, especially your enable secret from the config above. Secondly, have you looked at the log for TACACS on your Linux server? I don't think you are successfully communicating with the TACACS server. Does the TACACS server use source address filtering? If so, make sure that it is accepting connections from your router's IP address.
--
Ignorance is temporary...stupidity lasts forever!

jvltech

join:2001-11-06
Charter-WI
the passwords are just temporary and it is on a temp network not attached to anything right now. I will try to find the tacacs log and see if it shows anything. I am not useing any source address filtering in my config.


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
Are you running TACACS on the default TCP port 49 on your Linux server? If not, then this is your problem. Either change the listening port on your server to TCP 49 or change your router to use the port your server is listening on like the example below.

tacacs-server host 192.168.1.102 <port#>

--
Ignorance is temporary...stupidity lasts forever!

jvltech

join:2001-11-06
Charter-WI
reply to jvltech
now i get garbage on the screen and when I hit authorization failed.

jvltech

join:2001-11-06
Charter-WI
reply to rolande
Here is what my logging on the router is showing. Any help?

03:10:38: TPLUS: Queuing AAA Authentication request 25 for processing
03:10:38: TPLUS: processing authentication start request id 25
03:10:38: TPLUS: Authentication start packet created for 25()
03:10:38: TPLUS: Using server 192.168.1.102
03:10:38: TPLUS(00000019): connected to server 192.168.1.102
03:10:38: TPLUS: response received for AAA request 25
03:10:38: TPLUS: Received authentication response with status FAIL
03:10:40: TPLUS: Queuing AAA Authentication request 25 for processing
03:10:40: TPLUS: processing authentication start request id 25
03:10:40: TPLUS: Authentication start packet created for 25()
03:10:40: TPLUS: Using server 192.168.1.102
03:10:40: TPLUS(00000019): connected to server 192.168.1.102
03:10:40: TPLUS: response received for AAA request 25
03:10:40: TPLUS: Received authentication response with status FAIL
03:10:42: TPLUS: Queuing AAA Authentication request 25 for processing
03:10:42: TPLUS: processing authentication start request id 25
03:10:42: TPLUS: Authentication start packet created for 25()
03:10:42: TPLUS: Using server 192.168.1.102
03:10:42: TPLUS(00000019): connected to server 192.168.1.102
03:10:42: TPLUS: response received for AAA request 25
03:10:42: TPLUS: Received authentication response with status FAIL

jvltech

join:2001-11-06
Charter-WI
reply to jvltech
I rebooted my linux server and now it is working

jvltech

join:2001-11-06
Charter-WI
reply to jvltech
ok I can log into my router but when I try to enable it gives me an Error in authenication. Any ideas?


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
You have TACACS set to only trigger for enable mode. Are you sure you have the right userID and password? Second, I believe you have to give Privilege 15 rights to the user on your TACACS server, when you set it for enable mode authentication.
--
Ignorance is temporary...stupidity lasts forever!


LilYoda
Feline with squirel personality disorder
Premium
join:2004-09-02
Mountains

1 edit
reply to jvltech
Router config

aaa new-model
aaa authentication fail-message #
Authentication failed.
#
aaa authentication login default line
aaa authentication login TACACS group tacacs+ line
aaa authorization config-commands
aaa authorization console
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
tacacs-server host 192.168.X.X
tacacs-server key XYZXYZXYZXYZYXYZ
line con 0
login authentication TACACS
line aux 0
login authentication TACACS
line vty 0 4
login authentication TACACS

On the Tacacs server (exemple with a tac_plus server)
key = "XYZXYZXYZXYZYXYZ"
group = admin {
default service = permit
service = exec {
priv-lvl=15
}
service = shell {
priv-lvl=15
}
}
user = admin {
login = cleartext XXXXXXXX
member = admin
}

This will put you in enable mode directly when you login as admin
It will also default to line password when the tacacs server is unreachable.