Secure ACS

[gerbieIT]

I am looking for a little help w/ my secure acs set up.
This is my configuration:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 172.16.6.3
tacacs-server host 172.16.16.3
tacacs-server timeout 60
tacacs-server directed-request
tacacs-server key xxxxxxxxxx


It works fine in my 2621's but not on my 2811's. This happens on three different 2811's. It make it even weirder It will work on a test router I set up in my office and connect to it via the LAN... Am I missing something?

Any help would be greatly, greatly apperciated!

 

[burtsbees]

What do you mean it "doesn't work"?

Burt

 

[gerbieIT]

I get authentication failed...

 

[burtsbees]

post a sh ver from the 2621 and 2811

Burt

 

[gerbieIT]

2811:
GSS_WBCS_R0#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.3(11)T10, RELEASE SOFTWARE (fc4)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 03-Mar-06 19:05 by dchih

ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

GSS_WBCS_R0 uptime is 40 weeks, 3 days, 18 hours, 53 minutes
System returned to ROM by power-on
System restarted at 18:37:43 GMT Sat Jun 30 2007
System image file is "flash:c2800nm-advipservicesk9-mz.123-11.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FTX1037A1N5
2 FastEthernet interfaces
2 Serial interfaces
4 ISDN Basic Rate interfaces
1 Channelized T1/PRI port
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

2621:

GSS_17st_R0#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(13)T12, RELEASE SOFTWARE (fc1)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Tue 30-Mar-04 21:29 by ccai
Image text-base: 0x80008098, data-base: 0x80B679C0

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-I-M), Version 12.2(13)T12, RELEASE SOFTWARE (fc1)

GSS_17st_R0 uptime is 17 weeks, 6 days, 19 hours, 24 minutes
System returned to ROM by power-on
System restarted at 18:19:08 GMT Wed Dec 5 2007
System image file is "flash:c2600-i-mz.122-13.T12.bin"

cisco 2621XM (MPC860P) processor (revision 0x300) with 93184K/5120K bytes of memory.
Processor board ID JAE08105GU4 (1136332242)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


Thank you for your help.

 

[ADB100]

Have you added the clients (i.e. each router) to the ACS server or are you using wildcards?

Andy

 

[gerbieIT]

I add each individual router to secure ACS. I have deleted them, re-added and no luck.

Would different IOS's require different commands?

 

[ADB100]

I think you need to debug what's going on and try and interpret the debug messages:

debug aaa authentication
debug tacacs authentication

I have various switches & routers on different levels of code (12.2, 12.3 & 12.4) and the config on all of them is pretty much the same - some of the switches have 802.1x on them which the routers don't but that is about it.

Andy

 

[burtsbees]

I didn't think IP BASE would support aaa...guess it does.
If the router takes the commands, then they will be the same commands.

Burt

 

[jneiberger]

Did you copy-and-paste the TACACS server key into the routers? I used to have problems with that for some reason. It would *always* fail on certain types of routers if I pasted in an encrypted key. Try retyping the keys into those routers manually just to see if that clears it up.

 

[ADB100]

What about source interfaces? You said you added all the routers to ACS, if there are multiple interfaces on the routers then potentially the source IP address of the Tacacs+ packets from the router could be any of them. In reality it will be the interface (metrically) closest to the ACS Server, what you should do is fix the source IP address on the routers, I always use loopback interfaces:

ip tacacs source-interface loopback0
ip radius  source-interface loopback0

Andy

 

[gerbieIT]

yes I did do a copy and paste into the router. I will try deleting it and re-entering the commands by hand.

 

[gerbieIT]

First off thank you all for you replies!

Ok, i tried entering the info in manually and it did not make a difference. I then turned on ther debugging and this is what I got:
Apr 9 15:27:36.517: AAA: parse name=tty322 idb type=-1 tty=-1
.Apr 9 15:27:36.517: AAA: name=tty322 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=322 channel=0
.Apr 9 15:27:36.517: AAA/MEMORY: create_user (0x46209D88) user='csacs' ruser='GSS_WBCS_R0' ds0=0 port='tty322' rem_addr='172.16.0.28' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
.Apr 9 15:27:36.729: AAA/MEMORY: free_user (0x46209D88) user='csacs' ruser='GSS_WBCS_R0' port='tty322' rem_addr='172.16.0.28' authen_type=ASCII service=NONE priv=15 vrf= (id=0)
.Apr 9 15:27:54.181: AAA/BIND(0000005A): Bind i/f
.Apr 9 15:27:54.181: AAA/AUTHEN/LOGIN (0000005A): Pick method list 'default'
.Apr 9 15:27:54.181: TPLUS: Queuing AAA Authentication request 90 for processing
.Apr 9 15:27:54.181: TPLUS: processing authentication start request id 90
.Apr 9 15:27:54.181: TPLUS: Authentication start packet created for 90(david)
.Apr 9 15:27:54.181: TPLUS: Using server 172.16.6.3
.Apr 9 15:27:54.181: TPLUS(0000005A)/1/NB_WAIT/4620496C: Started 60 sec timeout
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/NB_WAIT: socket event 2
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/NB_WAIT: wrote entire 42 bytes request
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/READ: socket event 1
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/READ: Would block while reading
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/READ: socket event 1
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/READ: errno 254
.Apr 9 15:27:54.185: TPLUS(0000005A)/1/4620496C: Processing the reply packet
.Apr 9 15:27:59.185: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
.Apr 9 15:27:59.185: TPLUS: Queuing AAA Authentication request 0 for processing
.Apr 9 15:27:59.185: TPLUS: processing authentication start request id 0
.Apr 9 15:27:59.185: TPLUS: Authentication start packet created for 0(david)
.Apr 9 15:27:59.185: TPLUS: Using server 172.16.6.3
.Apr 9 15:27:59.185: TPLUS(00000000)/1/NB_WAIT/4620496C: Started 60 sec timeout
.Apr 9 15:27:59.185: TPLUS(00000000)/1/NB_WAIT: socket event 2
.Apr 9 15:27:59.189: TPLUS(00000000)/1/NB_WAIT: wrote entire 25 bytes request
.Apr 9 15:27:59.189: TPLUS(00000000)/1/READ: socket event 1
.Apr 9 15:27:59.189: TPLUS(00000000)/1/READ: Would block while reading
.Apr 9 15:27:59.189: TPLUS(00000000)/1/READ: socket event 1
.Apr 9 15:27:59.189: TPLUS(00000000)/1/READ: errno 254
.Apr 9 15:27:59.189: TPLUS(00000000)/1/4620496C: Processing the reply packet


I am going to see if I can "translate" this but if anyone has any input on it would be apperciated.

 

[gerbieIT]

Ok, so I needed to remove the IP tacacs source interface and all was good.

 

[ADB100]

Ok, so I needed to remove the IP tacacs source interface and all was good.

It is best practise to specify the source interface for management protocols (Tacacs+, Radius, SNMP, Syslog, NTP etc) so you know which router packets are coming from. If you have a router with multiple IP interfaces and it sends Tacacs+ Authentication requests it will use the IP address of the metrically closest interface to the ACS server as the source. This can cause problems if a link goes down and an alternative path is available as the router will use a different source IP address in subsequent packets.
Best practise is to use /32 Loopback interfaces and tie your management protocols to it:

interface Loopback0
 ip address 10.255.255.254 255.255.255.255
!
ip tacacs source-interface loopback0
ip radius source-interface loopback0
logging source-interface loopback0
snmp-server trap-source loopback0
ntp source loopback0

HTH

Andy