% Authentication failed acs server

[hodgey87]

Afternoon all,

Just wondered if anyone could help me out.

I just want basic connectivity between the server and the router but im not able to authenticate any users. The only commands ive used here are:

tacacs-server host 192.168.1.3
tacacs-server key cisco

aaa authentication login default local
aaa authentication login EXAMPLE group tacacs+ local
aaa authentication login default local

line vty 0 4
login authentication EXAMPLE

ive got users set up on the server and ive got a client set up as 192.168.1.254 which is the address of the router.

Just wondered if im missing anything

cheers

edit-----

this is the debug im getting

Router#
Router#
Router#
Router#
Router#
Router#
*Mar 1 00:14:24.595: AAA/BIND(0000000A): Bind i/f
*Mar 1 00:14:24.611: AAA/AUTHEN/LOGIN (0000000A): Pick method list 'EXAMPLE'
*Mar 1 00:14:24.755: TPLUS: Queuing AAA Authentication request 10 for processin
g
*Mar 1 00:14:24.763: TPLUS: processing authentication start request id 10
*Mar 1 00:14:24.771: TPLUS: Authentication start packet created for 10()
*Mar 1 00:14:24.775: TPLUS: Using server 192.168.1.3
*Mar 1 00:14:24.815: TPLUS(0000000A)/0/NB_WAIT/661F02C8: Started 5 sec timeout
*Mar 1 00:14:24.999: TPLUS(0000000A)/0/NB_WAIT: socket event 2
*Mar 1 00:14:25.023: TPLUS(0000000A)/0/NB_WAIT: wrote entire 36 bytes request
*Mar 1 00:14:25.027: TPLUS(0000000A)/0/READ: socket event 1
*Mar 1 00:14:25.031: TPLUS(0000000A)/0/READ: Would block while reading
*Mar 1 00:14:25.263: TPLUS(0000000A)/0/READ: socket event 1
*Mar 1 00:14:25.267: TPLUS(0000000A)/0/READ: read entire 12 header bytes (expec
t 16 bytes data)
*Mar 1 00:14:25.271: TPLUS(0000000A)/0/READ: socket event 1
*Mar 1 00:14:25.275: TPLUS(0000000A)/0/READ: read entire 28 bytes response
*Mar 1 00:14:25.275: TPLUS(0000000A)/0/661F02C8: Processing the reply packet
*Mar 1 00:14:25.295: TPLUS: Received authen response status GET_USER (7)
*Mar 1 00:14:32.391: TPLUS: Queuing AAA Authentication request 10 for processin
g
*Mar 1 00:14:32.407: TPLUS: processing authentication continue request id 10
*Mar 1 00:14:32.411: TPLUS: Authentication continue packet generated for 10
*Mar 1 00:14:32.411: TPLUS(0000000A)/0/WRITE/661F02C8: Started 5 sec timeout
*Mar 1 00:14:32.447: TPLUS(0000000A)/0/WRITE: wrote entire 20 bytes request
*Mar 1 00:14:37.411: TPLUS(0000000A)/0/READ/661F02C8: timed out
*Mar 1 00:14:37.419: TPLUS: Authentication start packet created for 10(lee)
*Mar 1 00:14:37.423: TPLUS(0000000A)/0/READ/661F02C8: timed out, clean up
*Mar 1 00:14:37.423: TPLUS(0000000A)/0/661F02C8: Processing the reply packet
*Mar 1 00:14:48.139: AAA/AUTHEN/LOGIN (0000000A): Pick method list 'EXAMPLE'
*Mar 1 00:14:48.203: TPLUS: Queuing AAA Authentication request 10 for processin
g
*Mar 1 00:14:48.211: TPLUS: processing authentication start request id 10
*Mar 1 00:14:48.219: TPLUS: Authentication start packet created for 10()
*Mar 1 00:14:48.219: TPLUS: Using server 192.168.1.3
*Mar 1 00:14:48.287: TPLUS(0000000A)/0/NB_WAIT/661F02C8: Started 5 sec timeout
*Mar 1 00:14:48.407: TPLUS(0000000A)/0/NB_WAIT: socket event 2
*Mar 1 00:14:48.459: TPLUS(0000000A)/0/NB_WAIT: wrote entire 36 bytes request
*Mar 1 00:14:48.459: TPLUS(0000000A)/0/READ: socket event 1
*Mar 1 00:14:48.475: TPLUS(0000000A)/0/READ: Would block while reading
*Mar 1 00:14:48.643: TPLUS(0000000A)/0/READ: socket event 1
*Mar 1 00:14:48.643: TPLUS(0000000A)/0/READ: read entire 12 header bytes (expec
t 16 bytes data)
*Mar 1 00:14:48.647: TPLUS(0000000A)/0/READ: socket event 1
*Mar 1 00:14:48.647: TPLUS(0000000A)/0/READ: read entire 28 bytes response
*Mar 1 00:14:48.671: TPLUS(0000000A)/0/661F02C8: Processing the reply packet
*Mar 1 00:14:48.699: TPLUS: Received authen response status GET_USER (7)

 

[North323]

are you going to be using tacacs+? if so, here is a working config as long as you have your external database set up correctly:

step 1
config t
username Test1 password Test1
enable secret Test123
line vty 0 4
no password
login local
transport input ssh

step 2
config t
no aaa new-model

step 3
config t
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
tacacs-server host 192.168.1.3
tacacs-server attempts 5
tacacs-server key cisco
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
end
wr mem

you may want to change the username

 

[hodgey87]

Hi,

Ive just tried your config but i still cant get it to work so it must be the database side of things.

Ive got an AAA client set up with hostname BHM and the ip address of the fa0/0 interface which is 192.168.1.254 and the shared secret which is cisco.

The AAA servers also set up with the same shared secret, ive got a couple of users added to the database but cant get them to authenticate. Is there anything else i need to do on windows server 2003 to get it up and running??

 

[North323]

are you setting them up with an external database? like active directory or internal ACS? go to reports and activity, failed attempts, and post the error. also, do you have the network config portion correct?

 

[hodgey87]

Im trying use internal ACS, if i go to the reports its just blank so im assuming that the something isnt set up right with this server. This is my 1st time doing this so im not 100% on the config side of things.

Ive got the AAA server setup as server ip address which is 192.168.1.3, with the shared secret of cisco then server type CiscoSecure ACS.

Also i have an AAA client with hostname BHM and ip address 192.168.1.254 which is fa0/0 on the router and shared secret cisco.

 

[North323]

is there a management vlan on that router? or loopback address? can you ping the tacacs server from the router?

in acs, tacacs+ settings, do you have PPP IP and Shell Exec checked?

 

[hodgey87]

Yeh everything on the network is pingable, its just this authentication that i cant get working.

 

[North323]

in acs, tacacs+ settings, do you have PPP IP and Shell Exec checked?

 

[hodgey87]

Yeh there checked, sometimes when i telnet in it will let me go to enable mode BHM> not any further most of the time ill just get % Authentication failed

 

[North323]

and there is nothing in the logs for 'failed logins'?

 

[North323]

also verify the service is started

 

[hodgey87]

Ive just checked th log files again and got this:

Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
08/13/2009,16:35:36,Authen failed,stuart,Default Group,async,(Default),ACS password invalid,,,tty0,192.168.1.254,,,,,,BHM,
08/13/2009,16:35:45,Authen failed,stuart,Default Group,async,(Default),ACS password invalid,,,tty0,192.168.1.254,,,,,,BHM,
08/13/2009,16:35:54,Authen failed,stuart,Default Group,async,(Default),ACS password invalid,,,tty0,192.168.1.254,,,,,,BHM,
08/13/2009,16:35:59,Authen failed,stuart,Default Group,async,(Default),ACS password invalid,,,tty0,192.168.1.254,,,,,,BHM,

where am i looking to verify service has started???

 

[North323]

system configuration, service control... should say 'service is running'

after you create an account under user setup
password authentication should be ACS Internal Database
then set password to something simple

assign them to the default group
Advanced tacacs+ settings
give them Max Priv level 15
then set Tacacs+ enable password to something simple
make sure PPP IP and Shell command auth set 'as group'

click submit

then go back to sys config, service control, and restart (bottom)

 

[hodgey87]

Cheers the advanced tacacs settings where hidden, im able to get into priviledged mode now BHM> just get
% Error in authentication.

Sorry to keep bothering you about this

 

[North323]

post a config of your router please. are the logs saying the same thing?

 

[hodgey87]

Router#show run
Building configuration...

Current configuration : 1298 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login MY_OWN group tacacs+ local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
tacacs-server host 192.168.1.3 single-connection
tacacs-server key cisco
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login authentication MY_OWN
!
!
end

this is from when i was watching a cbt nuggets video just wanted to see if i could get this working

 

[North323]

your aaa config is not complete you dont have a local account set up
1st step is to remove the router from ACS and log into the router then follow these steps or just copy and paste:

step 2
config t
username Test1 password Test1
enable secret Test123
line vty 0 4
no password
login local
transport input ssh


step 3
config t
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
tacacs-server host 192.168.1.3
tacacs-server attempts 5
tacacs-server key cisco
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
end
wr mem

 

[North323]

then add the router back in to ACS