Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problems with AAA 1

Status
Not open for further replies.
kunz12

kunz12

MIS
Jan 17, 2007
42
Guys -

I have two 3845 routers that have the following AAA config:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 192.168.254.50 key 7 1081C081E160842557878
tacacs-server host 192.168.254.16 key 7 070E2441470D1A4B464058

I am using Cisco ACS for authentication. However, the strange thing is authentication works for one and does not work for the other one. I have checked that both Routers have been added to the ACS identically.

In addition, I have also checked any access-lists that could be blocking this. But nothing! Really puzzled why it's working for one and not for another.

Any ideas? Thanks!
 
Sort by date Sort by votes
Pull and reinput the keys they may have an unseen space in the key , have seen this more than once.
 
Upvote 0 Downvote
Removed keys and re-added them. Problem still exists..
 
Upvote 0 Downvote
Try removing one and leaving the other---does it work for each separately?

Burt
 
Upvote 0 Downvote
Yeah I tried that also. Still doesn't work. I will probably have to call TAC. In my estimate, it's completely ignoring TACACS and using local authentication. LA is configued as a secondary authentication method.
 
Upvote 0 Downvote
Things to look at:

Can you run packet snoops on your tacacs server? It would be reassuring to see if the packets are getting there. Does the tacacs server log requests? If so, you don't need to snoop the packets.

Do your access-lists allow response packets back into the router?

- Joel
 
Upvote 0 Downvote
If you can call TAC, then yeah, just do that. Save the headache for another problem.

Burt
 
Upvote 0 Downvote
Guys - This is now resolved.

The source interface had to be specified for TACACS using the following command:

ip tacacs source-interface INT_NAME

Surprisingly I didn't have to do this on the other router.

Anyhow, it's working now....
 
Upvote 0 Downvote
You should always tie your routers management protocols to interfaces using the source-interface command, otherwise they will send the traffic using the source interface of the interface that is metrically closest to the destination. Ideally you should use Loopback interfaces as these never go down (if you use a physical interface there is the posibility that it will go down and will be unreachable).
I usually use the following on all Layer-3 devices I install to use a fixed interface for management protocols:
Code: 
ip telnet source-interface Loopback0
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip ssh source-interface Loopback0
ip radius source-interface Loopback0
ip tacacs source-interface loopback0
logging source-interface Loopback0
snmp-server trap-source Loopback0
ntp source Loopback0
HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
144
BIS
BIS
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
190
DigiByte34
DigiByte34
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
78
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
123
Geraldine Souza
Geraldine Souza
Collab_Guy
  • Locked
  • Question
Anyone using automation with their CUCM?
Replies
1
Views
92
kyle555
kyle555

Part and Inventory Search

Sponsor

Back
Top