Got it

TACACS issue

Created: Apr 10, 2020 03:34:31Latest reply: Apr 10, 2020 06:22:56 253 3 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hey there,

The S5720 switch does not allow us to log in with a local account when the IP connection to the TACACS servers is lost.

Can you tell me, please, what might be the problem? Thank you.

The following is the tacacs configuration:

hwtacacs-server template tacacs1

hwtacacs-server authentication xx.xx.xx.xx

hwtacacs-server authentication xx.xx.xx.xx secondary

hwtacacs-server authorization xx.xx.xx.xx

hwtacacs-server authorization xx.xx.xx.xx secondary

hwtacacs-server accounting xx.xx.xx.xx

hwtacacs-server accounting xx.xx.xx.xx secondary

hwtacacs-server source-ip xx.xx.xx.xx

hwtacacs-server shared-key cipher xxxxxx

undo hwtacacs-server user-name domain-included



  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Apr 10, 2020 03:41:58

Hello,

By default, users cannot go online if accounting-start fails. The TACACS authentication fails and accounting cannot be performed. Therefore, you can't log in to the switch when the authentication fails.

Please try to change the accounting mode to none or add the accounting start-fail online command in the accounting scheme view.

For details, please refer to

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100064949&id=accounting_start-fail&lang=en

Please let me know if this works.


View more
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Apr 10, 2020 03:41:58

Hello,

By default, users cannot go online if accounting-start fails. The TACACS authentication fails and accounting cannot be performed. Therefore, you can't log in to the switch when the authentication fails.

Please try to change the accounting mode to none or add the accounting start-fail online command in the accounting scheme view.

For details, please refer to

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100064949&id=accounting_start-fail&lang=en

Please let me know if this works.


View more
  • x
  • convention:

lubna
lubna Created Apr 10, 2020 03:42:03

hello dear i hope it will help you

Introduction
This document describes the steps to troubleshoot Terminal Access Controller Access-Control System Authentication (TACACS) issues on Cisco IOS/IOS-XE routers and switches.

Prerequisites
Requirements
Cisco recommends that you have basic knowledge of these topics:

Authentication, Authorization and Accounting (AAA) configuration on Cisco devices
TACACS configuration
Components Used
This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

How TACACS works
TACACS+ protocol uses Transmission Control Protocol (TCP) as the transport protocol with destination port number 49. When the Router receives a login request, it establishes a TCP connection with the TACACS server, post which a username prompt is displayed to the user. When the user enters the username, the Router again communicates with the TACACS server for the password prompt. Once the user enters the password, the Router send this information to the TACACS server again. The TACACS server verifies the user credentials and sends a response back to the Router. The result of a AAA session can be any of these:

PASS: When you are authenticated the service begins only if AAA authorization is configured on the router. The authorization phase begins at this time.

FAIL: When you have failed the authentication. You might be denied further access or be prompted to retry the login sequence, depending on the TACACS+ daemon. In this, you may need to check the policies configured for the user in TACACS server, if you receive a FAIL from the server

ERROR: It indicates an error occurred during authentication. This can be either at the daemon or in the network connection between the daemon and the router. If an ERROR response is received, the router typically tries to use an alternative method to authenticate the user.

These are the basic configuration of AAA and TACACS on a Cisco Router

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

!

tacacs server prod

address ipv4 10.106.60.182

key cisco123

!

ip tacacs source-interface Gig 0/0
Troubleshoot TACACS Issues
Step 1. Verify the connectivity to the TACACS server with a telnet on port 49 from the router with appropriate source interface. In case the router is not able to connect to the TACACS server on Port 49, there might be some firewall or access list blocking the traffic.

Router#telnet 10.106.60.182 49
Trying 10.106.60.182, 49 ... Open
Step 2. Verify that the AAA Client is properly configured on the TACACS server with the correct IP address and the shared secret key. If the Router has multiple outgoing interfaces, it is suggested to configure the TACACS source interface by using the following command. You may need to configure the interface, of which the IP address is configured as client IP address on TACACS server, as the TACACS source interface on Router

Router(config)#ip tacacs source-interface Gig 0/0
Step 3. Verify if the TACACS source interface is on a Virtual Routing and Forwarding (VRF). In case the interface is on a VRF, you may need to configure the VRF information under the AAA server group. Refer link for configuration of VRF aware TACACS.

Step 4. Perform test aaa and verify that we are receiving the correct response from the Server

Router#test aaa group tacacs+ cisco cisco legacy
Sending password
User successfully authenticated

Step 5. If test aaa fails, enable these debugs together to analyse the transactions between the Router and the TACACS server to identify the root cause.

debug aaa authentication

debug aaa authorization

debug tacacs

debug ip tcp transaction
This is a sample debug output in a working scenario:

*Apr 6 13:32:50.462: AAA/BIND(00000054): Bind i/f
*Apr 6 13:32:50.462: AAA/AUTHEN/LOGIN (00000054): Pick method list 'default'
*Apr 6 13:32:50.462: TPLUS: Queuing AAA Authentication request 84 for processing
*Apr 6 13:32:50.462: TPLUS(00000054) login timer started 1020 sec timeout
*Apr 6 13:32:50.462: TPLUS: processing authentication start request id 84
*Apr 6 13:32:50.462: TPLUS: Authentication start packet created for 84()
*Apr 6 13:32:50.462: TPLUS: Using server 10.106.60.182
*Apr 6 13:32:50.462: TPLUS(00000054)/0/NB_WAIT/2432818: Started 5 sec timeout
*Apr 6 13:32:50.466: TPLUS(00000054)/0/NB_WAIT: socket event 2
*Apr 6 13:32:50.466: TPLUS(00000054)/0/NB_WAIT: wrote entire 38 bytes request
*Apr 6 13:32:50.466: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:50.466: TPLUS(00000054)/0/READ: Would block while reading
*Apr 6 13:32:50.466: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:50.466: TPLUS(00000054)/0/READ: read entire 12 header bytes (expect 43 bytes data)
*Apr 6 13:32:50.466: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:50.466: TPLUS(00000054)/0/READ: read entire 55 bytes response
*Apr 6 13:32:50.466: TPLUS(00000054)/0/2432818: Processing the reply packet
*Apr 6 13:32:50.466: TPLUS: Received authen response status GET_USER (7)
*Apr 6 13:32:53.242: TPLUS: Queuing AAA Authentication request 84 for processing
*Apr 6 13:32:53.242: TPLUS(00000054) login timer started 1020 sec timeout
*Apr 6 13:32:53.242: TPLUS: processing authentication continue request id 84
*Apr 6 13:32:53.242: TPLUS: Authentication continue packet generated for 84
*Apr 6 13:32:53.242: TPLUS(00000054)/0/WRITE/10882BBC: Started 5 sec timeout
*Apr 6 13:32:53.242: TPLUS(00000054)/0/WRITE: wrote entire 22 bytes request
*Apr 6 13:32:53.246: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:53.246: TPLUS(00000054)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Apr 6 13:32:53.246: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:53.246: TPLUS(00000054)/0/READ: read entire 28 bytes response
*Apr 6 13:32:53.246: TPLUS(00000054)/0/10882BBC: Processing the reply packet
*Apr 6 13:32:53.246: TPLUS: Received authen response status GET_PASSWORD (8)
*Apr 6 13:32:54.454: TPLUS: Queuing AAA Authentication request 84 for processing
*Apr 6 13:32:54.454: TPLUS(00000054) login timer started 1020 sec timeout
*Apr 6 13:32:54.454: TPLUS: processing authentication continue request id 84
*Apr 6 13:32:54.454: TPLUS: Authentication continue packet generated for 84
*Apr 6 13:32:54.454: TPLUS(00000054)/0/WRITE/2432818: Started 5 sec timeout
*Apr 6 13:32:54.454: TPLUS(00000054)/0/WRITE: wrote entire 22 bytes request
*Apr 6 13:32:54.458: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:54.458: TPLUS(00000054)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Apr 6 13:32:54.458: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:54.458: TPLUS(00000054)/0/READ: read entire 18 bytes response
*Apr 6 13:32:54.458: TPLUS(00000054)/0/2432818: Processing the reply packet
*Apr 6 13:32:54.458: TPLUS: Received authen response status PASS (2)
*Apr 6 13:32:54.462: AAA/AUTHOR (0x54): Pick method list 'default'
*Apr 6 13:32:54.462: TPLUS: Queuing AAA Authorization request 84 for processing
*Apr 6 13:32:54.462: TPLUS(00000054) login timer started 1020 sec timeout
*Apr 6 13:32:54.462: TPLUS: processing authorization request id 84
*Apr 6 13:32:54.462: TPLUS: Protocol set to None .....Skipping
*Apr 6 13:32:54.462: TPLUS: Sending AV service=shell
*Apr 6 13:32:54.462: TPLUS: Sending AV cmd*
*Apr 6 13:32:54.462: TPLUS: Authorization request created for 84(cisco)
*Apr 6 13:32:54.462: TPLUS: using previously set server 10.106.60.182 from group tacacs+
*Apr 6 13:32:54.462: TPLUS(00000054)/0/NB_WAIT/2432818: Started 5 sec timeout
*Apr 6 13:32:54.462: TPLUS(00000054)/0/NB_WAIT: socket event 2
*Apr 6 13:32:54.462: TPLUS(00000054)/0/NB_WAIT: wrote entire 62 bytes request
*Apr 6 13:32:54.462: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:54.462: TPLUS(00000054)/0/READ: Would block while reading
*Apr 6 13:32:54.470: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:54.470: TPLUS(00000054)/0/READ: read entire 12 header bytes (expect 18 bytes data)
*Apr 6 13:32:54.470: TPLUS(00000054)/0/READ: socket event 1
*Apr 6 13:32:54.470: TPLUS(00000054)/0/READ: read entire 30 bytes response
*Apr 6 13:32:54.470: TPLUS(00000054)/0/2432818: Processing the reply packet
*Apr 6 13:32:54.470: TPLUS: Processed AV priv-lvl=15
*Apr 6 13:32:54.470: TPLUS: received authorization response for 84: PASS
*Apr 6 13:32:54.470: AAA/AUTHOR/EXEC(00000054): processing AV cmd=
*Apr 6 13:32:54.470: AAA/AUTHOR/EXEC(00000054): processing AV priv-lvl=15
*Apr 6 13:32:54.470: AAA/AUTHOR/EXEC(00000054): Authorization successful
This is a sample debug output from the Router, when the TACACS server is configured with a wrong pre shared key

*Apr 6 13:35:07.826: AAA/BIND(00000055): Bind i/f
*Apr 6 13:35:07.826: AAA/AUTHEN/LOGIN (00000055): Pick method list 'default'
*Apr 6 13:35:07.826: TPLUS: Queuing AAA Authentication request 85 for processing
*Apr 6 13:35:07.826: TPLUS(00000055) login timer started 1020 sec timeout
*Apr 6 13:35:07.826: TPLUS: processing authentication start request id 85
*Apr 6 13:35:07.826: TPLUS: Authentication start packet created for 85()
*Apr 6 13:35:07.826: TPLUS: Using server 10.106.60.182
*Apr 6 13:35:07.826: TPLUS(00000055)/0/NB_WAIT/225FE2DC: Started 5 sec timeout
*Apr 6 13:35:07.830: TPLUS(00000055)/0/NB_WAIT: socket event 2
*Apr 6 13:35:07.830: TPLUS(00000055)/0/NB_WAIT: wrote entire 38 bytes request
*Apr 6 13:35:07.830: TPLUS(00000055)/0/READ: socket event 1
*Apr 6 13:35:07.830: TPLUS(00000055)/0/READ: Would block while reading
*Apr 6 13:35:07.886: TPLUS(00000055)/0/READ: socket event 1
*Apr 6 13:35:07.886: TPLUS(00000055)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Apr 6 13:35:07.886: TPLUS(00000055)/0/READ: socket event 1
*Apr 6 13:35:07.886: TPLUS(00000055)/0/READ: read entire 18 bytes response
*Apr 6 13:35:07.886: TPLUS(00000055)/0/225FE2DC: Processing the reply packet
*Apr 6 13:35:07.886: TPLUS: received bad AUTHEN packet: length = 6, expected 43974
*Apr 6 13:35:07.886: TPLUS: Invalid AUTHEN packet (check keys).
View more
  • x
  • convention:

i%20am%20student%20%20and%20i%20am%20doing%20BSIT%20from%20international%20Islamic%20university%20in%20islamabad
Steelblue
Steelblue Created Apr 10, 2020 06:22:56

Thanks all.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.