(RADIATOR) Problem with cisco router login authentication using TACACS

Mike McCauley mikem at open.com.au
Mon Mar 14 18:35:16 CST 2005


Hello Josh,


On Tuesday 15 March 2005 10:16, Ward, Josh wrote:
> It doesn't look any different at debug level 5, but here it is:

You will need the latest 3.11 patches to see a difference.

>
> Mon Mar 14 16:06:34 2005: DEBUG: New TacacsplusConnection created for
> 10.241.12.100:11045 Mon Mar 14 16:06:35 2005: DEBUG: TacacsplusConnection
> request 192, 1, 1, 0, 3422190234, 26 Mon Mar 14 16:06:35 2005: DEBUG:
> TacacsPlus request packet dump:
> c0010100cbfa7a9a0000001aec10f69f9d92d7a6ca0cba6dc08f740b47933613cfdb1dbb6a3
>b Mon Mar 14 16:06:35 2005: DEBUG: TacacsplusConnection Authentication START
> 128, 128, 249 for ·Öú¬ø#oªG@µk, , Mon Mar 14 16:06:35 2005: WARNING:
> TacacsplusConnection unknown authentication action 128, type 128. Bad
> encryption Key? ^[[?6cMon Mar 14 16:06:39 2005: DEBUG: TacacsplusConnection
> disconnected from 10.241.12.100:11045
>
> The really strange thing here is that it works fine on all of our IOS based
> switches.  I have not been able to make it work on a single router.  I've
> tried on 7400's, 7200's, AS5300's, etc.  I have had the same results on all
> of them.  I see the same error as with this router.  I'm positive that the
> key is defined properly on the routers.  Cisco's doc on how to configure
> TACACS+ aaa authentication is extremely clear and simple.  I'm not sure,
> maybe there is a TACACS protocol difference between the two platforms?

Ive just been investigating that possibility. Havent found anything yet.

Is it the same version of IOS on all your devices?

>
> Anyway..  If that log didn't give you what you need, let me know.  If there
> is a patch I need to apply to get additional information, I can do that.
OK, see above.

>
> Thanks for your help!!!
>
> -Josh
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Monday, March 14, 2005 4:05 PM
> To: Ward, Josh
> Cc: Hugh Irvine; radiator at open.com.au
> Subject: Re: (RADIATOR) Problem with cisco router login authentication
> using TACACS
>
> Hello Josh,
>
> thanks for that.
>
> This really does look like a problem with the key, causing the Tacacs
> request to be decrypted incorrectly.
>
> Actually, I wonder if you could do the same test at trace level 5, so we
> can see the results of the Tacacs decryption (available in Radiator 3.11 +
> latests patches)?
>
> BTW, what version of Radiator are you running?
>
> Cheers.
>
> On Tuesday 15 March 2005 09:04, Ward, Josh wrote:
> > Here is from the switch that works:
> >
> > Mon Mar 14 14:58:27 2005: DEBUG: New TacacsplusConnection created for
> > 10.241.0.89:11245 Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection
> > request 192, 1, 1, 0, 4022010154, 26 Mon Mar 14 14:58:27 2005: DEBUG:
> > TacacsPlus request packet dump:
> > c0010100efbb012a0000001a031023fe47e95f4a4d74882fba66405f4532321d712722af2
> >4d 7 Mon Mar 14 14:58:27 2005: DEBUG: TacacsplusConnection Authentication
> > START 1, 1, 1 for , tty1, 132.241.60.253 Mon Mar 14 14:58:27 2005: DEBUG:
> > TacacsplusConnection Authentication REPLY 4, 0, Username: , Mon Mar 14
> > 14:58:29 2005: DEBUG: TacacsplusConnection request 192, 1, 3, 0,
> > 4022010154, 10 Mon Mar 14 14:58:29 2005: DEBUG: TacacsPlus request packet
> > dump: c0010300efbb012a0000000a3777521cd58d0514c8d7 Mon Mar 14 14:58:29
> > 2005: DEBUG: TacacsplusConnection Authentication CONTINUE 0, jward, Mon
> > Mar 14 14:58:29 2005: DEBUG: TacacsplusConnection Authentication REPLY 5,
> > 1, Password: , Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection
> > request 192, 1, 5, 0, 4022010154, 11 Mon Mar 14 14:58:31 2005: DEBUG:
> > TacacsPlus request packet dump:
> > c0010500efbb012a0000000b870ae1425d152d45ff7b27 Mon Mar 14 14:58:31 2005:
> > DEBUG: TacacsplusConnection Authentication CONTINUE 0, -----, Mon Mar 14
> > 14:58:31 2005: DEBUG: TACACSPLUS derived Radius request packet dump:
> > Code:       Access-Request
> > Identifier: UNDEF
> > Authentic:  TOxFA_%<217>{<15>b_<157>U<201><21>
> > Attributes:
> >         NAS-IP-Address = 10.241.0.89
> >         NAS-Port-Id = "tty1"
> >         Calling-Station-Id = "-------"
> >         Service-Type = Login-User
> >         User-Name = "jward"
> >         User-Password = "--------"
> >
> > Mon Mar 14 14:58:31 2005: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Mon Mar 14 14:58:31 2005: DEBUG:  Deleting session for ,
> > 10.241.0.89, Mon Mar 14 14:58:31 2005: DEBUG: Handling with
> > Radius::AuthFILE:
> > Mon Mar 14 14:58:31 2005: DEBUG: Reading users file /etc/radiator/users
> > Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE looks for match with
> > jward Mon Mar 14 14:58:31 2005: DEBUG: Handling with Radius::AuthUNIX:
> > Check-UNIX Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX looks for
> > match with jward Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthUNIX
> > ACCEPT: Mon Mar 14 14:58:31 2005: DEBUG: Radius::AuthFILE ACCEPT:
> > Mon Mar 14 14:58:31 2005: DEBUG: Access accepted for jward
> > Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection result
> > Access-Accept Mon Mar 14 14:58:31 2005: DEBUG: TacacsplusConnection
> > Authentication REPLY 1, 0, , Mon Mar 14 14:58:31 2005: DEBUG:
> > TacacsplusConnection disconnected from 10.241.0.89:11245
> >
> >
> >
> > Here is for the router that does not work:
> >
> > Mon Mar 14 14:58:41 2005: DEBUG: New TacacsplusConnection created for
> > 10.241.12.100:11044 Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection
> > request 192, 1, 1, 0, 1727364510, 26 Mon Mar 14 14:58:41 2005: DEBUG:
> > TacacsPlus request packet dump:
> > c001010066f57d9e0000001a460e711905e765bd10f5918187b0e8beaef57faab5edf20ee
> >62 0 Mon Mar 14 14:58:41 2005: DEBUG: TacacsplusConnection Authentication
> > START 224, 81, 255 for URaÁÄ5üÏF®uÂNeÜI, , Mon Mar 14 14:58:41 2005:
> > WARNING: TacacsplusConnection unknown authentication action 224, type 81.
> > Bad encryption Key? Mon Mar 14 14:58:46 2005: DEBUG: TacacsplusConnection
> > disconnected from 10.241.12.100:11044
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Monday, March 14, 2005 1:43 PM
> > To: Ward, Josh
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) Problem with cisco router login authentication
> > using TACACS
> >
> >
> > Hello Josh -
> >
> > Could you please send me a trace 4 debug from Radiator showing a TACACS
> > request both  from a switch and from a router.
> >
> > regards
> >
> > Hugh
> >
> > On 14 Mar 2005, at 20:22, Ward, Josh wrote:
> > > Hello,
> > >
> > > I'm having a problem getting our Cisco routers to do login
> > > authentication using radiator and TACACS.  All of our switches are
> > > doing
> > > TACACS authentication without a problem, but I am having problems
> > > getting it running on any of our routers.
> > >
> > > Here is the error message(s) I get when trying to log in to a TACACS+
> > > configured router:
> > > Mon Mar 14 11:07:06 2005: WARNING: TacacsplusConnection unknown
> > > authentication action 173, type 107. Bad encryption Key?
> > > Mon Mar 14 11:07:44 2005: WARNING: TacacsplusConnection unknown
> > > authentication action 252, type 123. Bad encryption Key?
> > > Mon Mar 14 11:08:18 2005: WARNING: TacacsplusConnection unknown
> > > authentication action 20, type 188. Bad encryption Key?
> > > Mon Mar 14 11:08:22 2005: WARNING: TacacsplusConnection unknown
> > > authentication action 121, type 186. Bad encryption Key?
> > > Mon Mar 14 11:08:25 2005: WARNING: TacacsplusConnection unknown
> > > authentication action 103, type 182. Bad encryption Key?
> > >
> > > I know that the encryption key is set the same as it is on our IOS
> > > based
> > > switches, and they seem to be working fine.
> > >
> > > Here is the relevant configuration from our radius server:
> > > <ServerTACACSPLUS>
> > >         Key *******
> > > </Server>
> > > <Realm DEFAULT>
> > >         #AuthByPolicy ContinueUntilAccept
> > >         <AuthBy FILE>
> > >                 Filename /etc/radiator/users
> > >                 NoDefaultIfFound
> > >         </AuthBy>
> > > </Realm>
> > >
> > > And the configuration from one of our routers:
> > > aaa new-model
> > > aaa authentication login default group tacacs+ local
> > > tacacs-server host 132.241.x.x key ******
> > >
> > > Seems pretty straight forward to me.  The same configuration works
> > > great
> > > on our IOS based switches, but the routers do not want to cooperate.  I
> > > have most of my routers doing radius authentication.  However, some of
> > > our routers for one reason of another do not support radius.
> > >
> > > Any help would be appreciated.
> > >
> > > Thanks!!!
> > >
> > > -Josh
> > > Network Analyst - Network Operations
> > > California State University, Chico
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > NB: I am travelling this week, so there may be delays in our
> > correspondence.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list