Cisco Catalyst 2960x TACACS+ Configuration

I've deployed a CentOS 7 server, installed TACACS+ & I'm trying to configure it to work with a a set of managed Cisco Catalyst 2960x switches that I have deployed in our production network (i'm only attempting this on an unused switch at present, purely for testing).

I have the following:-

1.) Connectivity between TACACS+ server & switch (can ping between both and telnet from switch to TACACS+ on TCP 49)
2.) TACACS+ config file (attached) - syntax validated
3.) Cisco IOS config (attached)
4.) TACACS+ IOS debug output (attached)

When I try to SSH to the Cisco switch, I keep receiving "Access Denied". I get a brief delay whereby there's chatter between TACACS & switch, then come the debug output errors.

I have ready many articles regarding adding a IP TACACS source-interface, unfortunuately I still receive the same error.

Any help would be appreciated.
cisco_debug_output.txt
cisco_shrun_output.txt
tacacs_config.txt
EnsingerLTDAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
Ensinger -

Your debug output shows that TACACS is not recognizing your device as a valid requester.  Two things to do:

1. On the AAA server, check that the password and client IP address are correct in the host profile.

2.  Try updating your AAA and TACACS on the switches with the below config:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local 
aaa authorization commands 0 default group tacacs+ local 
aaa authorization commands 1 default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common


ip tacacs source-interface (where ip address is the ip registered in TACACS)
tacacs-server host (IP address of TACACS server)
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key (where password is the password entered to TACACS device profile - do not include the key statement 7 as it is assumed in the string when entered)

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EnsingerLTDAuthor Commented:
Hi Atlas,

Thanks for this.

Still no joy, however I stop the TACACS service so that I can authenticate locally to switch, re-enable service, then whenever I try to execute any command I receive "Command not authorized".

Debug output still looks similar (see attached). Please also see new sh run output attached.

Cheers,
new_tacacs_debug.txt
new_shrun_output.txt
0
atlas_shudderedSr. Network EngineerCommented:
Okay, there are a few things to take note of in your debug:

1.
Dec 20 20:16:17.076: TAC+: Opening TCP/IP to 10.0.20.13/49 timeout=10

Open in new window

This is the initial connection attempt from your switch to the AAA server.

2.
Dec 20 20:16:17.080: TAC+: TCP/IP open to 10.0.20.13/49 failed -- Connection refused by remote host

Open in new window

This is telling you that the AAA server is refusing your connection

3.
Dec 20 20:17:04.029: TPLUS: Invalid Client information received as input

Open in new window

This is confirming that either your host or user credentials are not recognized.  Based on the data at line one, host

4.Your last item, concerning "Command not authorized", this is presenting because your switch can see the TACACS server and the policy requires it to authenticate each user and then authorize commands.  When you drop visibility to TACACS via the switch to logon local admin and bring it back up, the aaa service is attempting to authorize against TACACS when it sees it come back up

What do the logs from your aaa server show?
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

EnsingerLTDAuthor Commented:
You won't believe this, I just finished reading your comments, enabled debug mode for TACACS using the following command:-

sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g

Authenticated against the switch and there it is ... everything working!! I honestly haven't changed anything since last post, maybe I've restarted the service somewhere in the interim? Couldn't say for sure.

Now I need to figure out if the authorisation logging is working. I'm very new to Linux, I've literally had a crash course today with TACACS.  Do you know any good links to documentation on how to harden the security element, some command restriction examples for authorisation etc. Any points in the right direction would be greatly appreciated. Documentation online seems to be limited.

Thanks for your help.
0
atlas_shudderedSr. Network EngineerCommented:
Ensinger - in your tacacs server config, it shows the key as "key = "AA01BB02CC03DD04EE05FF0610".  
On the switch, it shows the key as "tacacs-server key AA01BB02CC03DD04EE05FF0610"

Based on this, I am wondering if you copied AA01BB02CC03DD04EE05FF0610 from one or the other and pasted into the config of the other?  Is this so?

If so, can you go to your tacacs server and in the value

key = "AA01BB02CC03DD04EE05FF0610"

Open in new window


change this value to:

key = "AAAHOST"

Open in new window


Then on the switch, run these commands:

conf t
no tacacs-server key
tacacs-server key AAAHOST
end
wr

Open in new window


If the switch won't let you enter commands then disconnect it from the network, you may have to reboot.  The intention is to break it's visibility to the AAA server IP address.  Then login as local admin and enter the commands.  Following this, reconnect to the network and try it again.
0
atlas_shudderedSr. Network EngineerCommented:
This may be what you are looking for:

CentOS harderning guide:
https://www.lisenet.com/2017/centos-7-server-hardening-guide/


Hardening tacacs access
https://networkjutsu.com/tacacs-acl/
0
EnsingerLTDAuthor Commented:
I spoke way too early! Last night it started to work, then I started to see spurious problems such as not being able to authenticate with the TACACS ID's any more. Ever since running the debug command
sudo /bin/tac_plus -C /etc/tac_plus.conf -L -p 49 -d128 -g

Open in new window

I seem to have locked up the port. I can no longer telnet to TACACS on port 49, PUTTY immediately closes when I try without error.

I see the following in the logs:-

Error get_socket: bind 49 Address already in use

I'm at a complete loss now, let me know if you can share any ideas.

FYI - I already performed your recommended commands earlier regarding changing the key on both TACACS & switch.

Cheers,
0
atlas_shudderedSr. Network EngineerCommented:
You've got a service running on there that is consuming the port looks like.  I'm not deep into the Linux side.  I run our TACACS and system auth sec side.

Try this

http://www.shrubbery.net/pipermail/tac_plus/2015-July/001658.html
0
EnsingerLTDAuthor Commented:
I've finally got it working.

Basically, I was completely confusing the situation on the CentOS side, trying to run the debug command AND trying to start the regular service, thinking they were two completely different instances! Basically had it right since you gave me the new cisco tacacs+ & AAA config, just misunderstood the basic Linux management commands.

Thanks for your help.
0
atlas_shudderedSr. Network EngineerCommented:
No worries.  Good luck with bringing it online fully.  TACACS can be a bit confusing at the start but after you get your head wrapped around the idea of users/hosts/groups/permission sets it clicks along pretty well.

Cheers

A
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
iOS

From novice to tech pro — start learning today.