(RADIATOR) Problem with cisco router login authentication using TACACS
Ward, Josh
JWard at csuchico.edu
Mon Mar 14 18:16:02 CST 2005
It doesn't look any different at debug level 5, but here it is:
Mon Mar 14 16:06:34 2005: DEBUG: New TacacsplusConnection created for 10.241.12.100:11045
Mon Mar 14 16:06:35 2005: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 3422190234, 26
Mon Mar 14 16:06:35 2005: DEBUG: TacacsPlus request packet dump: c0010100cbfa7a9a0000001aec10f69f9d92d7a6ca0cba6dc08f740b47933613cfdb1dbb6a3b
Mon Mar 14 16:06:35 2005: DEBUG: TacacsplusConnection Authentication START 128, 128, 249 for ·Öú¬ø#oªG@µk, ,
Mon Mar 14 16:06:35 2005: WARNING: TacacsplusConnection unknown authentication action 128, type 128. Bad encryption Key?
^[[?6cMon Mar 14 16:06:39 2005: DEBUG: TacacsplusConnection disconnected from 10.241.12.100:11045
The really strange thing here is that it works fine on all of our IOS based switches. I have not been able to make it work on a single router. I've tried on 7400's, 7200's, AS5300's, etc. I have had the same results on all of them. I see the same error as with this router. I'm positive that the key is defined properly on the routers. Cisco's doc on how to configure TACACS+ aaa authentication is extremely clear and simple. I'm not sure, maybe there is a TACACS protocol difference between the two platforms?
Anyway.. If that log didn't give you what you need, let me know. If there is a patch I need to apply to get additional information, I can do that.
Thanks for your help!!!
-Josh
-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au]
Sent: Monday, March 14, 2005 4:05 PM
To: Ward, Josh
Cc: Hugh Irvine; radiator at open.com.au
Subject: Re: (RADIATOR) Problem with cisco router login authentication using TACACS
Hello Josh,
thanks for that.
This really does look like a problem with the key, causing the Tacacs request
to be decrypted incorrectly.
Actually, I wonder if you could do the same test at trace level 5, so we can
see the results of the Tacacs decryption (available in Radiator 3.11 +
latests patches)?
BTW, what version of Radiator are you running?
Cheers.
On Tuesday 15 March 2005 09:04, Ward, Josh wrote:
> Here is from the switch that works:
>
> Mon Mar 14 14:58:27 2005: DEBUG: New TacacsplusConnection created for
> 10.241.0.89:11245 Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection
> request 192, 1, 1, 0, 4022010154, 26 Mon Mar 14 14:58:27 2005: DEBUG:
> TacacsPlus request packet dump:
> c0010100efbb012a0000001a031023fe47e95f4a4d74882fba66405f4532321d712722af24d
>7 Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection Authentication START
> 1, 1, 1 for , tty1, 132.241.60.253 Mon Mar 14 14:58:27 2005: DEBUG:
> TacacsplusConnection Authentication REPLY 4, 0, Username: , Mon Mar 14
> 14:58:29 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
> 4022010154, 10 Mon Mar 14 14:58:29 2005: DEBUG: TacacsPlus request packet
> dump: c0010300efbb012a0000000a3777521cd58d0514c8d7 Mon Mar 14 14:58:29
> 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0, jward, Mon Mar
> 14 14:58:29 2005: DEBUG: TacacsplusConnection Authentication REPLY 5, 1,
> Password: , Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection request
> 192, 1, 5, 0, 4022010154, 11 Mon Mar 14 14:58:31 2005: DEBUG: TacacsPlus
> request packet dump: c0010500efbb012a0000000b870ae1425d152d45ff7b27 Mon Mar
> 14 14:58:31 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0,
> -----, Mon Mar 14 14:58:31 2005: DEBUG: TACACSPLUS derived Radius request
> packet dump: Code: Access-Request
> Identifier: UNDEF
> Authentic: TOxFA_%<217>{<15>b_<157>U<201><21>
> Attributes:
> NAS-IP-Address = 10.241.0.89
> NAS-Port-Id = "tty1"
> Calling-Station-Id = "-------"
> Service-Type = Login-User
> User-Name = "jward"
> User-Password = "--------"
>
> Mon Mar 14 14:58:31 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Mon Mar 14 14:58:31 2005: DEBUG: Deleting session for ,
> 10.241.0.89, Mon Mar 14 14:58:31 2005: DEBUG: Handling with
> Radius::AuthFILE:
> Mon Mar 14 14:58:31 2005: DEBUG: Reading users file /etc/radiator/users
> Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE looks for match with
> jward Mon Mar 14 14:58:31 2005: DEBUG: Handling with Radius::AuthUNIX:
> Check-UNIX Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX looks for
> match with jward Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX ACCEPT:
> Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Mar 14 14:58:31 2005: DEBUG: Access accepted for jward
> Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection result Access-Accept
> Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection Authentication REPLY
> 1, 0, , Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection disconnected
> from 10.241.0.89:11245
>
>
>
> Here is for the router that does not work:
>
> Mon Mar 14 14:58:41 2005: DEBUG: New TacacsplusConnection created for
> 10.241.12.100:11044 Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection
> request 192, 1, 1, 0, 1727364510, 26 Mon Mar 14 14:58:41 2005: DEBUG:
> TacacsPlus request packet dump:
> c001010066f57d9e0000001a460e711905e765bd10f5918187b0e8beaef57faab5edf20ee62
>0 Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection Authentication START
> 224, 81, 255 for URaÁÄ5üÏF®uÂNeÜI, , Mon Mar 14 14:58:41 2005: WARNING:
> TacacsplusConnection unknown authentication action 224, type 81. Bad
> encryption Key? Mon Mar 14 14:58:46 2005: DEBUG: TacacsplusConnection
> disconnected from 10.241.12.100:11044
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Monday, March 14, 2005 1:43 PM
> To: Ward, Josh
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Problem with cisco router login authentication
> using TACACS
>
>
> Hello Josh -
>
> Could you please send me a trace 4 debug from Radiator showing a TACACS
> request both from a switch and from a router.
>
> regards
>
> Hugh
>
> On 14 Mar 2005, at 20:22, Ward, Josh wrote:
> > Hello,
> >
> > I'm having a problem getting our Cisco routers to do login
> > authentication using radiator and TACACS. All of our switches are
> > doing
> > TACACS authentication without a problem, but I am having problems
> > getting it running on any of our routers.
> >
> > Here is the error message(s) I get when trying to log in to a TACACS+
> > configured router:
> > Mon Mar 14 11:07:06 2005: WARNING: TacacsplusConnection unknown
> > authentication action 173, type 107. Bad encryption Key?
> > Mon Mar 14 11:07:44 2005: WARNING: TacacsplusConnection unknown
> > authentication action 252, type 123. Bad encryption Key?
> > Mon Mar 14 11:08:18 2005: WARNING: TacacsplusConnection unknown
> > authentication action 20, type 188. Bad encryption Key?
> > Mon Mar 14 11:08:22 2005: WARNING: TacacsplusConnection unknown
> > authentication action 121, type 186. Bad encryption Key?
> > Mon Mar 14 11:08:25 2005: WARNING: TacacsplusConnection unknown
> > authentication action 103, type 182. Bad encryption Key?
> >
> > I know that the encryption key is set the same as it is on our IOS
> > based
> > switches, and they seem to be working fine.
> >
> > Here is the relevant configuration from our radius server:
> > <ServerTACACSPLUS>
> > Key *******
> > </Server>
> > <Realm DEFAULT>
> > #AuthByPolicy ContinueUntilAccept
> > <AuthBy FILE>
> > Filename /etc/radiator/users
> > NoDefaultIfFound
> > </AuthBy>
> > </Realm>
> >
> > And the configuration from one of our routers:
> > aaa new-model
> > aaa authentication login default group tacacs+ local
> > tacacs-server host 132.241.x.x key ******
> >
> > Seems pretty straight forward to me. The same configuration works
> > great
> > on our IOS based switches, but the routers do not want to cooperate. I
> > have most of my routers doing radius authentication. However, some of
> > our routers for one reason of another do not support radius.
> >
> > Any help would be appreciated.
> >
> > Thanks!!!
> >
> > -Josh
> > Network Analyst - Network Operations
> > California State University, Chico
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list