Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8064
Views
0
Helpful
2
Replies

TACACS + Authentication Failing

Go to solution
mattipler
Level 1
Level 1

‎02-12-2018 10:01 AM - edited ‎02-21-2020 10:45 AM

Hey guys,

 

We have a working (for other devices) implementation of ACS 5.8.1. I'm attempting to configure TACACS authentication upon one of our new 2960s but authentication is being rejected by the server. 

 

I can see the port 49 traffic passing through the network and hitting the ACS server. The key and IP are configured correctly within ACS. But the server is rejecting authentication attempts.

 

TACACS config

 

switchSWI01#show run | s tacacs
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Vlan3000
tacacs server ACS01
address ipv4 10.32.22.15
key 7 031C4D393C1703741E
tacacs server ACS01
address ipv4 10.128.50.15
key 7 10561F2B3F0F30335C

 

TACACS Auth Debug

 

switchSWI01#test aaa group tacacs+ Matthewt 3636685490 legacy
Attempting authentication test to server-group tacacs+ using tacacs+

Feb 12 17:33:22.812: AAA: parse name=<no string> idb type=-1 tty=-1
Feb 12 17:33:22.812: AAA/MEMORY: create_user (0x85C027C) user='Matthewt' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Feb 12 17:33:22.812: TAC+: send AUTHEN/START packet ver=192 id=613456307
Feb 12 17:33:22.812: TAC+: Using default tacacs server-group "tacacs+" list.
Feb 12 17:33:22.812: TAC+: Opening TCP/IP to 10.32.22.15/49 timeout=5
Feb 12 17:33:22.826: TAC+: Opened TCP/IP handle 0x8E2B854 to 10.32.22.15/49 using source 172.31.76.140
Feb 12 17:33:22.826: TAC+: 10.32.22.15 (613456307) AUTHEN/START/LOGIN/ASCII queued
Feb 12 17:33:23.029: TAC+: (613456307) AUTHEN/START/LOGIN/ASCII processed
Feb 12 17:33:23.029: TAC+: ver=192 id=613456307 received AUTHEN status = GETPASS
Feb 12 17:33:23.029: TAC+: send AUTHEN/CONT packet id=613456307
Feb 12 17:33:23.029: TAC+: 10.32.22.15 (613456307) AUTHEN/CONT queuedUser authentication request was rejected by server.

switchSWI01#
Feb 12 17:33:25.328: TAC+: (613456307) AUTHEN/CONT processed
Feb 12 17:33:25.328: TAC+: ver=192 id=613456307 received AUTHEN status = FAIL
Feb 12 17:33:25.328: TAC+: Closing TCP/IP 0x8E2B854 connection to 10.32.22.15/49
Feb 12 17:33:25.332: AAA/MEMORY: free_user (0x85C027C) user='Matthewt' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Feb 12 17:33:34.385: %SEC-6-IPACCESSLOGNP: list SNMP_ACCESS permitted 0 172.21.50.6 -> 0.0.0.0, 1674 packets

 

Any ideas folks? At a bit of a loss with this! 

 

Regards. 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mattipler
Level 1
Level 1
In response to mattipler

‎02-13-2018 05:18 AM

End Station Filters! 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mattipler
Level 1
Level 1

‎02-13-2018 02:07 AM - edited ‎02-13-2018 02:27 AM

Also just found this in ACS Monitoring and Reports (troubleshooting TAB)...

 

Description

Selected Shell Profile is DenyAccess

Resolution Steps

Check whether the Device Administration Authorization Policy rules are correct

 

TACACS STATUS: FAIL

Authentication Results

AuthenticationResult:

PASSED

AuthorizationFailureReason:

ShellProfileDenyAuthorization

Type: Authentication

Authen-reply-Status: Fail

 

Apologies, as you can probably guess, I'm new to ACS! 

0 Helpful

Go to solution
mattipler
Level 1
Level 1
In response to mattipler

‎02-13-2018 05:18 AM

End Station Filters! 

0 Helpful
Customers Also Viewed These Support Documents