Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TACACS Server Problem 2

Status
Not open for further replies.

Almin

Technical User
Mar 1, 2010
137
US
Hello

We are deploying a centralized authentication method in our environment, and I am running into some issues with tacacs server. I have a router in out lab that is local to the network (meaning it resides on the same subnet as the tacacs server 10.10.250.0 network) I am able to authenticate the logon information through the tacacs on that router but my issue is that I cant authenticate the remote router residing on 10.20.245.0 network. When I try to telnet to it it asks me for the local database username and password. When I try to telnet to it via port 49 (tacacs port) I get connection refused by remote host. we allow tcp/udp any any in and out, not blocking any ports on the network. What could be the issue here? Below is the router config for tacacs

Code:
aaa new-model
aaa authentication login default group tacacs+ local 
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+

line vty 0 4 
login authentication default

tacacs-server host 10.10.250.51
tacacs-server key 15261E1E0A2F390727212515454245155
ip tacacs source-interface Loopback12

the configuration is identical on both local and remote router.. any suggestions?

Thanks
 
P.S. I am able to ping fropm the server to the remote router and from the remote router to the server...

Thanks for any help
 
Could be a few things goin on here,

login to the remote router using the local password etc that works then type:

term mom
debug tacacs packet

Then fire up another session and try and login with the tacacs password and watch the debug messages on the sreen.

Post them back here so we can see whats going on
 
so here is what I got by doing that

this comes up as soon as I try to connect to the host

Code:
IT_LAB-TACACS+#term mon
IT_LAB-TACACS+#debug tacacs packet
TACACS+ packets debugging is on
IT_LAB-TACACS+#
IT_LAB-TACACS+#
*Apr 11 18:55:17.531: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
*Apr 11 18:55:17.531: T+: session_id 974847808 (0x3A1AFF40), dlen 26 (0x1A)
*Apr 11 18:55:17.531: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
*Apr 11 18:55:17.531: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
*Apr 11 18:55:17.531: T+: user:  
*Apr 11 18:55:17.531: T+: port:  tty194
*Apr 11 18:55:17.531: T+: rem_addr:  172.18.36.64
*Apr 11 18:55:17.531: T+: data:  
*Apr 11 18:55:17.531: T+: End Packet
IT_LAB-TACACS+#


This comes up when I try to use my tacacs username and pw

Code:
*Apr 11 18:55:38.139: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
*Apr 11 18:55:38.139: T+: session_id 493164964 (0x1D6519A4), dlen 26 (0x1A)
*Apr 11 18:55:38.139: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
*Apr 11 18:55:38.139: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
*Apr 11 18:55:38.139: T+: user:  
*Apr 11 18:55:38.139: T+: port:  tty194
*Apr 11 18:55:38.139: T+: rem_addr:  172.18.36.64
*Apr 11 18:55:38.139: T+: data:  
*Apr 11 18:55:38.139: T+: End Packet
IT_LAB-TACACS+#
IT_LAB-TACACS+#sh tacacs 

Tacacs+ Server            : 172.30.1.61/49
              Socket opens:         14
             Socket closes:         14
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          2
   Failed Connect Attempts:          0
        Total Packets Sent:         13
        Total Packets Recv:          0

IT_LAB-TACACS+#

On this router I am running DMVPN config.. any ideas? I used wireshark and I see that its talking to the server but it is not happening on my screen.
 
Why does the debug say the tacacs server is a 172.X address when in the config it is a 10.10.250.X address ? Is there actually a loopback 12 as an interface ?
 
172.30.1.61 is the TACACS+ server
the tacacs source interface on the router is the 10.
 
Vipergg is right:

You said that the tacacs server was on 10.10.250.51 and in the config your posted in your fisrt post that is what the server is set to. Or does the tacacs server also have the ip 172.30.1.61?

also when you do a ping from the router it will use the interface closest to the destination e.g. if you ping 10.10.250.51 it will use the interface that the next hop is connected as the source.

Not worked with tacacs before as we use RADIUS auth, From the debug it seems like the router sent 13 packets but didnt recieve anything back from the server. Firewall acls blocking? routing issue?

Try pinging the server from the routers loopback12 interface by the following

remote-02#ping
Protocol [ip]:
Target IP address: 10.10.250.51
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: loopback12
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.250.51, timeout is 2 seconds:
Packet sent with a source address of 192.168.222.2
.....
Success rate is 0 percent (0/5)

Anything with a blank after the ':' just hit enter to use the defaults
 
HI,

I have figured it out thanks for the hints.. One lite problem that I have is that when I test my local database (meaning in case the tacacs fails) it takes about 30-40 seconds to come up, I understands that it is trying to connect to the two tacas server ips that are in the configuration but is there a time out command that I can implement so when it trys to connect to the tacacs and the connetion is not established after xx seconds to quit?

Thanks
 
tatacs-server timeout 1
got it

thanks
 
Glad you managed to get it sorted, and the time out is a nice trick, didnt know that existed!

What did you have to change to get it to work?

Do you have any purple *'s to hand out? :)
 
Hey...

first off I had to add the tacacst subnet to the eigrp topology, and second I had to allow traffic to pass through our firewall on port 49. once all that was done everything started to work, I had to do some tweaking on the cisco config and the tatacs side but now works like a charm. Still in testing mode but will be implementing prety soon :)

Thanks for all the help here

Little purple start are coming :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top