Cisco Catalyst 2960x TACACS+ Configuration

I've deployed a CentOS 7 server, installed TACACS+ & I'm trying to configure it to work with a a set of managed Cisco Catalyst 2960x switches that I have deployed in our production network (i'm only attempting this on an unused switch at present, purely for testing).

I have the following:-

1.) Connectivity between TACACS+ server & switch (can ping between both and telnet from switch to TACACS+ on TCP 49)
2.) TACACS+ config file (attached) - syntax validated
3.) Cisco IOS config (attached)
4.) TACACS+ IOS debug output (attached)

When I try to SSH to the Cisco switch, I keep receiving "Access Denied". I get a brief delay whereby there's chatter between TACACS & switch, then come the debug output errors.

I have ready many articles regarding adding a IP TACACS source-interface, unfortunuately I still receive the same error.

Any help would be appreciated.
cisco_debug_output.txt
cisco_shrun_output.txt
tacacs_config.txt
EnsingerLTDAsked:
Who is Participating?
 
atlas_shudderedSr. Network EngineerCommented:
Ensinger -

Your debug output shows that TACACS is not recognizing your device as a valid requester.  Two things to do:

1. On the AAA server, check that the password and client IP address are correct in the host profile.

2.  Try updating your AAA and TACACS on the switches with the below config:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local 
aaa authorization commands 0 default group tacacs+ local 
aaa authorization commands 1 default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common


ip tacacs source-interface (where ip address is the ip registered in TACACS)
tacacs-server host (IP address of TACACS server)
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key (where password is the password entered to TACACS device profile - do not include the key statement 7 as it is assumed in the string when entered)

Open in new window

0
 
EnsingerLTDAuthor Commented:
Hi Atlas,

Thanks for this.

Still no joy, however I stop the TACACS service so that I can authenticate locally to switch, re-enable service, then whenever I try to execute any command I receive "Command not authorized".

Debug output still looks similar (see attached). Please also see new sh run output attached.

Cheers,
new_tacacs_debug.txt
new_shrun_output.txt
0
 
atlas_shudderedSr. Network EngineerCommented:
Okay, there are a few things to take note of in your debug:

1.
Dec 20 20:16:17.076: TAC+: Opening TCP/IP to 10.0.20.13/49 timeout=10

Open in new window

This is the initial connection attempt from your switch to the AAA server.

2.
Dec 20 20:16:17.080: TAC+: TCP/IP open to 10.0.20.13/49 failed -- Connection refused by remote host

Open in new window

This is telling you that the AAA server is refusing your connection

3.
Dec 20 20:17:04.029: TPLUS: Invalid Client information received as input

Open in new window

This is confirming that either your host or user credentials are not recognized.  Based on the data at line one, host

4.Your last item, concerning "Command not authorized", this is presenting because your switch can see the TACACS server and the policy requires it to authenticate each user and then authorize commands.  When you drop visibility to TACACS via the switch to logon local admin and bring it back up, the aaa service is attempting to authorize against TACACS when it sees it come back up

What do the logs from your aaa server show?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
EnsingerLTDAuthor Commented:
You won't believe this, I just finished reading your comments, enabled debug mode for TACACS using the following command:-

sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g

Authenticated against the switch and there it is ... everything working!! I honestly haven't changed anything since last post, maybe I've restarted the service somewhere in the interim? Couldn't say for sure.

Now I need to figure out if the authorisation logging is working. I'm very new to Linux, I've literally had a crash course today with TACACS.  Do you know any good links to documentation on how to harden the security element, some command restriction examples for authorisation etc. Any points in the right direction would be greatly appreciated. Documentation online seems to be limited.

Thanks for your help.
0
 
atlas_shudderedSr. Network EngineerCommented:
Ensinger - in your tacacs server config, it shows the key as "key = "AA01BB02CC03DD04EE05FF0610".  
On the switch, it shows the key as "tacacs-server key AA01BB02CC03DD04EE05FF0610"

Based on this, I am wondering if you copied AA01BB02CC03DD04EE05FF0610 from one or the other and pasted into the config of the other?  Is this so?

If so, can you go to your tacacs server and in the value

key = "AA01BB02CC03DD04EE05FF0610"

Open in new window


change this value to:

key = "AAAHOST"

Open in new window


Then on the switch, run these commands:

conf t
no tacacs-server key
tacacs-server key AAAHOST
end
wr

Open in new window


If the switch won't let you enter commands then disconnect it from the network, you may have to reboot.  The intention is to break it's visibility to the AAA server IP address.  Then login as local admin and enter the commands.  Following this, reconnect to the network and try it again.
0
 
atlas_shudderedSr. Network EngineerCommented:
This may be what you are looking for:

CentOS harderning guide:
https://www.lisenet.com/2017/centos-7-server-hardening-guide/


Hardening tacacs access
https://networkjutsu.com/tacacs-acl/
0
 
EnsingerLTDAuthor Commented:
I spoke way too early! Last night it started to work, then I started to see spurious problems such as not being able to authenticate with the TACACS ID's any more. Ever since running the debug command
sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g

Open in new window

I seem to have locked up the port. I can no longer telnet to TACACS on port 49, PUTTY immediately closes when I try without error.

I see the following in the logs:-

Error get_socket: bind 49 Address already in use

I'm at a complete loss now, let me know if you can share any ideas.

FYI - I already performed your recommended commands earlier regarding changing the key on both TACACS & switch.

Cheers,
0
 
atlas_shudderedSr. Network EngineerCommented:
You've got a service running on there that is consuming the port looks like.  I'm not deep into the Linux side.  I run our TACACS and system auth sec side.

Try this

http://www.shrubbery.net/pipermail/tac_plus/2015-July/001658.html
0
 
EnsingerLTDAuthor Commented:
I've finally got it working.

Basically, I was completely confusing the situation on the CentOS side, trying to run the debug command AND trying to start the regular service, thinking they were two completely different instances! Basically had it right since you gave me the new cisco tacacs+ & AAA config, just misunderstood the basic Linux management commands.

Thanks for your help.
0
 
atlas_shudderedSr. Network EngineerCommented:
No worries.  Good luck with bringing it online fully.  TACACS can be a bit confusing at the start but after you get your head wrapped around the idea of users/hosts/groups/permission sets it clicks along pretty well.

Cheers

A
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.