Solved

Tacacs+ authentication problems.

Posted on 2006-07-14
3
1,633 Views
Last Modified: 2008-02-01
I`ve got 2 routers (actually 500) . They are all configured with tacacs. and the configuration is exactly the same.
It is cisco 1700 with IOS version 12.3(2)XC2. When trying to login on Router 2 the tacacs works properly, but when I try to login on router 1 I can only login with password and enable password. There`s only 1 tacacs server. The credentials are the same on the tacacs-server. I need help !!

I did a debug on the routers, and here`s the output from both of them

router 1#
Jul 14 09:55:59.914: TPLUS: Queuing AAA Authentication request 16 for processing
Jul 14 09:55:59.914: TPLUS: processing authentication start request id 16
Jul 14 09:55:59.914: TPLUS: Authentication start packet created for 16()
Jul 14 09:55:59.914: TPLUS: Using server 10.160.2.31
Jul 14 09:55:59.914: TPLUS(00000010)/0/NB_WAIT/81FA3D80: Started 5 sec timeout
Jul 14 09:56:04.914: TPLUS(00000010)/0/NB_WAIT/81FA3D80: timed out
Jul 14 09:56:04.914: TPLUS(00000010)/0/NB_WAIT/81FA3D80: timed out, clean up
Jul 14 09:56:04.914: TPLUS(00000010)/0/81FA3D80: Processing the reply packet

router 2#
.Jul 14 10:02:22.948: TPLUS: Queuing AAA Authentication request 1377 for processing
.Jul 14 10:02:22.948: TPLUS: processing authentication start request id 1377
.Jul 14 10:02:22.948: TPLUS: Authentication start packet created for 1377()
.Jul 14 10:02:22.948: TPLUS: Using server 10.160.2.31
.Jul 14 10:02:22.948: TPLUS(00000561)/0/IDLE/822BBF80: got immediate connect on new 0
.Jul 14 10:02:22.952: TPLUS(00000561)/0/WRITE/822BBF80: Started 5 sec timeout
.Jul 14 10:02:22.952: TPLUS(00000561)/0/WRITE: wrote entire 36 bytes request
.Jul 14 10:02:22.980: TPLUS(00000561)/0/READ: read entire 12 header bytes (expect 16 bytes)
.Jul 14 10:02:22.980: TPLUS(00000561)/0/READ: read entire 28 bytes response
.Jul 14 10:02:22.980: TPLUS(00000561)/0/822BBF80: Processing the reply packet
.Jul 14 10:02:22.984: TPLUS: Received authen response status GET_USER (7)
.Jul 14 10:02:24.707: TPLUS: Queuing AAA Authentication request 1377 for processing
.Jul 14 10:02:24.711: TPLUS: processing authentication continue request id 1377
.Jul 14 10:02:24.711: TPLUS: Authentication continue packet generated for 1377
.Jul 14 10:02:24.711: TPLUS(00000561)/0/WRITE/822B95C8: Started 5 sec timeout
.Jul 14 10:02:24.711: TPLUS(00000561)/0/WRITE: wrote entire 20 bytes request
.Jul 14 10:02:24.759: TPLUS(00000561)/0/READ: read entire 12 header bytes (expect 16 bytes)
.Jul 14 10:02:24.759: TPLUS(00000561)/0/READ: read entire 28 bytes response
.Jul 14 10:02:24.759: TPLUS(00000561)/0/822B95C8: Processing the reply packet
.Jul 14 10:02:24.759: TPLUS: Received authen response status GET_PASSWORD (8)
.Jul 14 10:02:26.097: TPLUS: Queuing AAA Authentication request 1377 for processing
.Jul 14 10:02:26.097: TPLUS: processing authentication continue request id 1377
.Jul 14 10:02:26.097: TPLUS: Authentication continue packet generated for 1377
.Jul 14 10:02:26.101: TPLUS(00000561)/0/WRITE/822B95C8: Started 5 sec timeout
.Jul 14 10:02:26.101: TPLUS(00000561)/0/WRITE: wrote entire 23 bytes request
.Jul 14 10:02:26.246: TPLUS(00000561)/0/READ: read entire 12 header bytes (expect 6 bytes)
.Jul 14 10:02:26.246: TPLUS(00000561)/0/READ: read entire 18 bytes response
.Jul 14 10:02:26.246: TPLUS(00000561)/0/822B95C8: Processing the reply packet
.Jul 14 10:02:26.246: TPLUS: Received authen response status PASS (2)




0
Comment
Question by:TorgN
3 Comments
 
LVL 4

Assisted Solution

by:rage419
rage419 earned 250 total points
Comment Utility
are you sure the router is using the source interface/ip that tacacs is expecting? Is that address routeable be both tacacs and the source router's perspective?

Failed logs can also be very helpful in seeing what is not jiving or if the attempt is valid at all.
0
 

Author Comment

by:TorgN
Comment Utility
Yes, the router is using the source interface that tacacs is expecting, and yes it`s routable.

80.0.0.0/30 is subnetted, 1 subnets
c 80.x.x.x is directly connected, serial 0/0.17
r* 0.0.0.0/0 [120/5] via 80.x.x.y, 00:00:03, Serial0/0.17
....

ip tacacs source-interface serial0/0.17
0
 

Accepted Solution

by:
mcdougp earned 250 total points
Comment Utility
What TACACS software and version is 10.160.2.31 using?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The DSL Parameters part of this article is valid and can be considered with any brand of internet router and modem (Dlink, 3com, Alcatel, Usrobotics, Parks), by accessing the configuration interface available by the manufacturer eg: http://10.1.1.1 …
Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now