EnsingerLTD
asked on
Cisco Catalyst 2960x TACACS+ Configuration
I've deployed a CentOS 7 server, installed TACACS+ & I'm trying to configure it to work with a a set of managed Cisco Catalyst 2960x switches that I have deployed in our production network (i'm only attempting this on an unused switch at present, purely for testing).
I have the following:-
1.) Connectivity between TACACS+ server & switch (can ping between both and telnet from switch to TACACS+ on TCP 49)
2.) TACACS+ config file (attached) - syntax validated
3.) Cisco IOS config (attached)
4.) TACACS+ IOS debug output (attached)
When I try to SSH to the Cisco switch, I keep receiving "Access Denied". I get a brief delay whereby there's chatter between TACACS & switch, then come the debug output errors.
I have ready many articles regarding adding a IP TACACS source-interface, unfortunuately I still receive the same error.
Any help would be appreciated.
cisco_debug_output.txt
cisco_shrun_output.txt
tacacs_config.txt
I have the following:-
1.) Connectivity between TACACS+ server & switch (can ping between both and telnet from switch to TACACS+ on TCP 49)
2.) TACACS+ config file (attached) - syntax validated
3.) Cisco IOS config (attached)
4.) TACACS+ IOS debug output (attached)
When I try to SSH to the Cisco switch, I keep receiving "Access Denied". I get a brief delay whereby there's chatter between TACACS & switch, then come the debug output errors.
I have ready many articles regarding adding a IP TACACS source-interface, unfortunuately I still receive the same error.
Any help would be appreciated.
cisco_debug_output.txt
cisco_shrun_output.txt
tacacs_config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Okay, there are a few things to take note of in your debug:
1.
2.
3.
4.Your last item, concerning "Command not authorized", this is presenting because your switch can see the TACACS server and the policy requires it to authenticate each user and then authorize commands. When you drop visibility to TACACS via the switch to logon local admin and bring it back up, the aaa service is attempting to authorize against TACACS when it sees it come back up
What do the logs from your aaa server show?
1.
Dec 20 20:16:17.076: TAC+: Opening TCP/IP to 10.0.20.13/49 timeout=10
This is the initial connection attempt from your switch to the AAA server.2.
Dec 20 20:16:17.080: TAC+: TCP/IP open to 10.0.20.13/49 failed -- Connection refused by remote host
This is telling you that the AAA server is refusing your connection3.
Dec 20 20:17:04.029: TPLUS: Invalid Client information received as input
This is confirming that either your host or user credentials are not recognized. Based on the data at line one, host4.Your last item, concerning "Command not authorized", this is presenting because your switch can see the TACACS server and the policy requires it to authenticate each user and then authorize commands. When you drop visibility to TACACS via the switch to logon local admin and bring it back up, the aaa service is attempting to authorize against TACACS when it sees it come back up
What do the logs from your aaa server show?
ASKER
You won't believe this, I just finished reading your comments, enabled debug mode for TACACS using the following command:-
sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g
Authenticated against the switch and there it is ... everything working!! I honestly haven't changed anything since last post, maybe I've restarted the service somewhere in the interim? Couldn't say for sure.
Now I need to figure out if the authorisation logging is working. I'm very new to Linux, I've literally had a crash course today with TACACS. Do you know any good links to documentation on how to harden the security element, some command restriction examples for authorisation etc. Any points in the right direction would be greatly appreciated. Documentation online seems to be limited.
Thanks for your help.
sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g
Authenticated against the switch and there it is ... everything working!! I honestly haven't changed anything since last post, maybe I've restarted the service somewhere in the interim? Couldn't say for sure.
Now I need to figure out if the authorisation logging is working. I'm very new to Linux, I've literally had a crash course today with TACACS. Do you know any good links to documentation on how to harden the security element, some command restriction examples for authorisation etc. Any points in the right direction would be greatly appreciated. Documentation online seems to be limited.
Thanks for your help.
Ensinger - in your tacacs server config, it shows the key as "key = "AA01BB02CC03DD04EE05FF061 0".
On the switch, it shows the key as "tacacs-server key AA01BB02CC03DD04EE05FF0610 "
Based on this, I am wondering if you copied AA01BB02CC03DD04EE05FF0610 from one or the other and pasted into the config of the other? Is this so?
If so, can you go to your tacacs server and in the value
change this value to:
Then on the switch, run these commands:
If the switch won't let you enter commands then disconnect it from the network, you may have to reboot. The intention is to break it's visibility to the AAA server IP address. Then login as local admin and enter the commands. Following this, reconnect to the network and try it again.
On the switch, it shows the key as "tacacs-server key AA01BB02CC03DD04EE05FF0610
Based on this, I am wondering if you copied AA01BB02CC03DD04EE05FF0610
If so, can you go to your tacacs server and in the value
key = "AA01BB02CC03DD04EE05FF0610"
change this value to:
key = "AAAHOST"
Then on the switch, run these commands:
conf t
no tacacs-server key
tacacs-server key AAAHOST
end
wr
If the switch won't let you enter commands then disconnect it from the network, you may have to reboot. The intention is to break it's visibility to the AAA server IP address. Then login as local admin and enter the commands. Following this, reconnect to the network and try it again.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I spoke way too early! Last night it started to work, then I started to see spurious problems such as not being able to authenticate with the TACACS ID's any more. Ever since running the debug command
I see the following in the logs:-
Error get_socket: bind 49 Address already in use
I'm at a complete loss now, let me know if you can share any ideas.
FYI - I already performed your recommended commands earlier regarding changing the key on both TACACS & switch.
Cheers,
sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g
I seem to have locked up the port. I can no longer telnet to TACACS on port 49, PUTTY immediately closes when I try without error.I see the following in the logs:-
Error get_socket: bind 49 Address already in use
I'm at a complete loss now, let me know if you can share any ideas.
FYI - I already performed your recommended commands earlier regarding changing the key on both TACACS & switch.
Cheers,
You've got a service running on there that is consuming the port looks like. I'm not deep into the Linux side. I run our TACACS and system auth sec side.
Try this
http://www.shrubbery.net/p ipermail/t ac_plus/20 15-July/00 1658.html
Try this
http://www.shrubbery.net/p
ASKER
I've finally got it working.
Basically, I was completely confusing the situation on the CentOS side, trying to run the debug command AND trying to start the regular service, thinking they were two completely different instances! Basically had it right since you gave me the new cisco tacacs+ & AAA config, just misunderstood the basic Linux management commands.
Thanks for your help.
Basically, I was completely confusing the situation on the CentOS side, trying to run the debug command AND trying to start the regular service, thinking they were two completely different instances! Basically had it right since you gave me the new cisco tacacs+ & AAA config, just misunderstood the basic Linux management commands.
Thanks for your help.
No worries. Good luck with bringing it online fully. TACACS can be a bit confusing at the start but after you get your head wrapped around the idea of users/hosts/groups/permiss ion sets it clicks along pretty well.
Cheers
A
Cheers
A
ASKER
Thanks for this.
Still no joy, however I stop the TACACS service so that I can authenticate locally to switch, re-enable service, then whenever I try to execute any command I receive "Command not authorized".
Debug output still looks similar (see attached). Please also see new sh run output attached.
Cheers,
new_tacacs_debug.txt
new_shrun_output.txt