(RADIATOR) Problem with cisco router login authentication using TACACS

Ward, Josh JWard at csuchico.edu
Mon Mar 14 17:04:51 CST 2005 

Here is from the switch that works:

Mon Mar 14 14:58:27 2005: DEBUG: New TacacsplusConnection created for 10.241.0.89:11245
Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 4022010154, 26
Mon Mar 14 14:58:27 2005: DEBUG: TacacsPlus request packet dump: c0010100efbb012a0000001a031023fe47e95f4a4d74882fba66405f4532321d712722af24d7
Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for , tty1, 132.241.60.253
Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection Authentication REPLY 4, 0, Username: ,
Mon Mar 14 14:58:29 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 4022010154, 10
Mon Mar 14 14:58:29 2005: DEBUG: TacacsPlus request packet dump: c0010300efbb012a0000000a3777521cd58d0514c8d7
Mon Mar 14 14:58:29 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0, jward,
Mon Mar 14 14:58:29 2005: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,
Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection request 192, 1, 5, 0, 4022010154, 11
Mon Mar 14 14:58:31 2005: DEBUG: TacacsPlus request packet dump: c0010500efbb012a0000000b870ae1425d152d45ff7b27
Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0, -----,
Mon Mar 14 14:58:31 2005: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  TOxFA_%<217>{<15>b_<157>U<201><21>
Attributes:
        NAS-IP-Address = 10.241.0.89
        NAS-Port-Id = "tty1"
        Calling-Station-Id = "-------"
        Service-Type = Login-User
        User-Name = "jward"
        User-Password = "--------"

Mon Mar 14 14:58:31 2005: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Mar 14 14:58:31 2005: DEBUG:  Deleting session for , 10.241.0.89,
Mon Mar 14 14:58:31 2005: DEBUG: Handling with Radius::AuthFILE:
Mon Mar 14 14:58:31 2005: DEBUG: Reading users file /etc/radiator/users
Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE looks for match with jward
Mon Mar 14 14:58:31 2005: DEBUG: Handling with Radius::AuthUNIX: Check-UNIX
Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX looks for match with jward
Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX ACCEPT:
Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE ACCEPT:
Mon Mar 14 14:58:31 2005: DEBUG: Access accepted for jward
Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection result Access-Accept
Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection disconnected from 10.241.0.89:11245



Here is for the router that does not work:

Mon Mar 14 14:58:41 2005: DEBUG: New TacacsplusConnection created for 10.241.12.100:11044
Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 1727364510, 26
Mon Mar 14 14:58:41 2005: DEBUG: TacacsPlus request packet dump: c001010066f57d9e0000001a460e711905e765bd10f5918187b0e8beaef57faab5edf20ee620
Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection Authentication START 224, 81, 255 for URaÁÄ5üÏF®uÂNeÜI, ,
Mon Mar 14 14:58:41 2005: WARNING: TacacsplusConnection unknown authentication action 224, type 81. Bad encryption Key?
Mon Mar 14 14:58:46 2005: DEBUG: TacacsplusConnection disconnected from 10.241.12.100:11044

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Monday, March 14, 2005 1:43 PM
To: Ward, Josh
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Problem with cisco router login authentication using TACACS


Hello Josh -

Could you please send me a trace 4 debug from Radiator showing a TACACS 
request both  from a switch and from a router.

regards

Hugh


On 14 Mar 2005, at 20:22, Ward, Josh wrote:

> Hello,
>
> I'm having a problem getting our Cisco routers to do login
> authentication using radiator and TACACS.  All of our switches are 
> doing
> TACACS authentication without a problem, but I am having problems
> getting it running on any of our routers.
>
> Here is the error message(s) I get when trying to log in to a TACACS+
> configured router:
> Mon Mar 14 11:07:06 2005: WARNING: TacacsplusConnection unknown
> authentication action 173, type 107. Bad encryption Key?
> Mon Mar 14 11:07:44 2005: WARNING: TacacsplusConnection unknown
> authentication action 252, type 123. Bad encryption Key?
> Mon Mar 14 11:08:18 2005: WARNING: TacacsplusConnection unknown
> authentication action 20, type 188. Bad encryption Key?
> Mon Mar 14 11:08:22 2005: WARNING: TacacsplusConnection unknown
> authentication action 121, type 186. Bad encryption Key?
> Mon Mar 14 11:08:25 2005: WARNING: TacacsplusConnection unknown
> authentication action 103, type 182. Bad encryption Key?
>
> I know that the encryption key is set the same as it is on our IOS 
> based
> switches, and they seem to be working fine.
>
> Here is the relevant configuration from our radius server:
> <ServerTACACSPLUS>
>         Key *******
> </Server>
> <Realm DEFAULT>
>         #AuthByPolicy ContinueUntilAccept
>         <AuthBy FILE>
>                 Filename /etc/radiator/users
>                 NoDefaultIfFound
>         </AuthBy>
> </Realm>
>
> And the configuration from one of our routers:
> aaa new-model
> aaa authentication login default group tacacs+ local
> tacacs-server host 132.241.x.x key ******
>
> Seems pretty straight forward to me.  The same configuration works 
> great
> on our IOS based switches, but the routers do not want to cooperate.  I
> have most of my routers doing radius authentication.  However, some of
> our routers for one reason of another do not support radius.
>
> Any help would be appreciated.
>
> Thanks!!!
>
> -Josh
> Network Analyst - Network Operations
> California State University, Chico
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: I am travelling this week, so there may be delays in our 
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list