(RADIATOR) Problem with cisco router login authentication using TACACS

Mike McCauley mikem at open.com.au
Mon Mar 14 18:05:00 CST 2005 

Hello Josh,

thanks for that.

This really does look like a problem with the key, causing the Tacacs request 
to be decrypted incorrectly.

Actually, I wonder if you could do the same test at trace level 5, so we can 
see the results of the Tacacs decryption (available in Radiator 3.11 + 
latests patches)?

BTW, what version of Radiator are you running?

Cheers.

On Tuesday 15 March 2005 09:04, Ward, Josh wrote:
> Here is from the switch that works:
>
> Mon Mar 14 14:58:27 2005: DEBUG: New TacacsplusConnection created for
> 10.241.0.89:11245 Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection
> request 192, 1, 1, 0, 4022010154, 26 Mon Mar 14 14:58:27 2005: DEBUG:
> TacacsPlus request packet dump:
> c0010100efbb012a0000001a031023fe47e95f4a4d74882fba66405f4532321d712722af24d
>7 Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection Authentication START
> 1, 1, 1 for , tty1, 132.241.60.253 Mon Mar 14 14:58:27 2005: DEBUG:
> TacacsplusConnection Authentication REPLY 4, 0, Username: , Mon Mar 14
> 14:58:29 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
> 4022010154, 10 Mon Mar 14 14:58:29 2005: DEBUG: TacacsPlus request packet
> dump: c0010300efbb012a0000000a3777521cd58d0514c8d7 Mon Mar 14 14:58:29
> 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0, jward, Mon Mar
> 14 14:58:29 2005: DEBUG: TacacsplusConnection Authentication REPLY 5, 1,
> Password: , Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection request
> 192, 1, 5, 0, 4022010154, 11 Mon Mar 14 14:58:31 2005: DEBUG: TacacsPlus
> request packet dump: c0010500efbb012a0000000b870ae1425d152d45ff7b27 Mon Mar
> 14 14:58:31 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0,
> -----, Mon Mar 14 14:58:31 2005: DEBUG: TACACSPLUS derived Radius request
> packet dump: Code:       Access-Request
> Identifier: UNDEF
> Authentic:  TOxFA_%<217>{<15>b_<157>U<201><21>
> Attributes:
>         NAS-IP-Address = 10.241.0.89
>         NAS-Port-Id = "tty1"
>         Calling-Station-Id = "-------"
>         Service-Type = Login-User
>         User-Name = "jward"
>         User-Password = "--------"
>
> Mon Mar 14 14:58:31 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Mon Mar 14 14:58:31 2005: DEBUG:  Deleting session for ,
> 10.241.0.89, Mon Mar 14 14:58:31 2005: DEBUG: Handling with
> Radius::AuthFILE:
> Mon Mar 14 14:58:31 2005: DEBUG: Reading users file /etc/radiator/users
> Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE looks for match with
> jward Mon Mar 14 14:58:31 2005: DEBUG: Handling with Radius::AuthUNIX:
> Check-UNIX Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX looks for
> match with jward Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX ACCEPT:
> Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Mar 14 14:58:31 2005: DEBUG: Access accepted for jward
> Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection result Access-Accept
> Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 1, 0, , Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection disconnected
> from 10.241.0.89:11245
>
>
>
> Here is for the router that does not work:
>
> Mon Mar 14 14:58:41 2005: DEBUG: New TacacsplusConnection created for
> 10.241.12.100:11044 Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection
> request 192, 1, 1, 0, 1727364510, 26 Mon Mar 14 14:58:41 2005: DEBUG:
> TacacsPlus request packet dump:
> c001010066f57d9e0000001a460e711905e765bd10f5918187b0e8beaef57faab5edf20ee62
>0 Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection Authentication START
> 224, 81, 255 for URaÁÄ5üÏF®uÂNeÜI, , Mon Mar 14 14:58:41 2005: WARNING:
> TacacsplusConnection unknown authentication action 224, type 81. Bad
> encryption Key? Mon Mar 14 14:58:46 2005: DEBUG: TacacsplusConnection
> disconnected from 10.241.12.100:11044
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Monday, March 14, 2005 1:43 PM
> To: Ward, Josh
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Problem with cisco router login authentication
> using TACACS
>
>
> Hello Josh -
>
> Could you please send me a trace 4 debug from Radiator showing a TACACS
> request both  from a switch and from a router.
>
> regards
>
> Hugh
>
> On 14 Mar 2005, at 20:22, Ward, Josh wrote:
> > Hello,
> >
> > I'm having a problem getting our Cisco routers to do login
> > authentication using radiator and TACACS.  All of our switches are
> > doing
> > TACACS authentication without a problem, but I am having problems
> > getting it running on any of our routers.
> >
> > Here is the error message(s) I get when trying to log in to a TACACS+
> > configured router:
> > Mon Mar 14 11:07:06 2005: WARNING: TacacsplusConnection unknown
> > authentication action 173, type 107. Bad encryption Key?
> > Mon Mar 14 11:07:44 2005: WARNING: TacacsplusConnection unknown
> > authentication action 252, type 123. Bad encryption Key?
> > Mon Mar 14 11:08:18 2005: WARNING: TacacsplusConnection unknown
> > authentication action 20, type 188. Bad encryption Key?
> > Mon Mar 14 11:08:22 2005: WARNING: TacacsplusConnection unknown
> > authentication action 121, type 186. Bad encryption Key?
> > Mon Mar 14 11:08:25 2005: WARNING: TacacsplusConnection unknown
> > authentication action 103, type 182. Bad encryption Key?
> >
> > I know that the encryption key is set the same as it is on our IOS
> > based
> > switches, and they seem to be working fine.
> >
> > Here is the relevant configuration from our radius server:
> > <ServerTACACSPLUS>
> >         Key *******
> > </Server>
> > <Realm DEFAULT>
> >         #AuthByPolicy ContinueUntilAccept
> >         <AuthBy FILE>
> >                 Filename /etc/radiator/users
> >                 NoDefaultIfFound
> >         </AuthBy>
> > </Realm>
> >
> > And the configuration from one of our routers:
> > aaa new-model
> > aaa authentication login default group tacacs+ local
> > tacacs-server host 132.241.x.x key ******
> >
> > Seems pretty straight forward to me.  The same configuration works
> > great
> > on our IOS based switches, but the routers do not want to cooperate.  I
> > have most of my routers doing radius authentication.  However, some of
> > our routers for one reason of another do not support radius.
> >
> > Any help would be appreciated.
> >
> > Thanks!!!
> >
> > -Josh
> > Network Analyst - Network Operations
> > California State University, Chico
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list