Tacacs Authentication Issue

Hi,

I wondered if anyone may be able to help with a rather troublesome Tacacs authentication issue Im experiencing.

I have configured aaa and tacacs (see config below) and installed ACS 4.1 on a virtual server that meets the ACS requirements. I have set it up to use the local ACS database, created users accounts and added my AAA clients. However when I go to authenticate the acs server shows invalid ACS password. When I run the sh tacacs command I can see packets sent but none recieved. Does anyone have any indication what could be causing this?

aaa new model
aaa authentication login telnet group tacacs+ local
aaa authentication login ssh group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 6 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 8 default start-stop group tacacs+
aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 11 default start-stop group tacacs+
aaa accounting commands 12 default start-stop group tacacs+
aaa accounting commands 13 default start-stop group tacacs+
aaa accounting commands 14 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

tacacs-server host 10.149.232.130
tacacs-server directed-request
tacacs-server key cisco

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

kalebksp

I would double check the IP address and shared secret in the client configuration on the ACS server.

cjthedj45

kalebksp wrote: »

I would double check the IP address and shared secret in the client configuration on the ACS server.

Hi Kalebksp the key is fine, I think there may be a different message if it was failing on the shared key. It specifically says ACS password is invalid. I have configured the local aaa and tacacs accounts with same username and password but no joy. It looks like it sends out the intial get but nothing returns the accounts have prive level 15. When it fails it asks for the enable password. I'm stumped!!

cjthedj45

kale just been looking on your website vcabbage and looks good. I was looking at your article on creating a passive network tap. We have a span port at work that mirrors voice traffic so it can be recorded. Not sure if the passive tap would be a better solution to the span port. Its interesting though because solarwinds is flagging lots of discards on a port between the switch and core. As your article says the span ports can drop packets if to their is to much load. Although not sure if this would be the cause as we still seem to be recording calls. Anyway their is some good info on the site.