[c-nsp] TACACS+/MPLS VPN

Chris Roberts croberts at bongle.co.uk
Fri Oct 29 05:08:09 EDT 2004 

‘lo,

 

I’m trying to get TACACS+ authentication for exec logins working in an MPLS
VPN on one of our 7204VXRs (NPE-400). I thought I’d bounce this here aswell
as opening a TAC case, since I’m sure someone else must have tried this by
now.

I first tried on 12.2(25)S1, by simply specifying a source-interface for the
TACACS+ queries, however no queries are sent and the TACACS+ server is
marked as unreachable. This is a bit odd, since simply specifying a source
interface was enough to get TFTP working in an MPLS VPN. Upgrading to
12.3(8)T5 fixed authentication, however when trying to ‘enable’, the TACACS+
server cannot be contacted.

 

I currently have this:

aaa group server tacacs+ tacacs1

 server x.x.x.x

 ip vrf forwarding mgmt

!

aaa authentication login default group tacacs1 line

aaa authentication enable default group tacacs1 line

aaa authentication ppp default group radius

aaa authorization commands 15 default group tacacs1 none

aaa authorization network default group radius

aaa accounting delay-start

aaa accounting network default start-stop group radius

aaa session-id common

 

ip tacacs source-interface FastEthernet0/1

 

A debug during a successful login, and then a failed ‘enable’ comes up with:

 

*Oct 29 08:59:17.951: TPLUS: Queuing AAA Authentication request 11 for
processing

*Oct 29 08:59:17.951: TPLUS: processing authentication start request id 11

*Oct 29 08:59:17.951: TPLUS: Authentication start packet created for 11()

*Oct 29 08:59:17.951: TPLUS: Using server x.x.x.x

*Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT/637D2F7C: Started 5 sec
timeout

*Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT: socket event 2

*Oct 29 08:59:17.951: T+: Version 192 (0xC0), type 1, seq 1, encryption 1

*Oct 29 08:59:17.951: T+: session_id 3468085199 (0xCEB6C7CF), dlen 26 (0x1A)

*Oct 29 08:59:17.951: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii

*Oct 29 08:59:17.951: T+: svc:LOGIN user_len:0 port_len:4 (0x4) raddr_len:14
(0xE) data_len:0

*Oct 29 08:59:17.951: T+: user:

*Oct 29 08:59:17.951: T+: port:  tty3

*Oct 29 08:59:17.951: T+: rem_addr:  y.y.y.y

*Oct 29 08:59:17.951: T+: data:

*Oct 29 08:59:17.951: T+: End Packet

*Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT: wrote entire 38 bytes
request

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: Would block while reading

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: read entire 12 header bytes
(expect 16 bytes data)

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: read entire 28 bytes response

*Oct 29 08:59:17.955: T+: Version 192 (0xC0), type 1, seq 2, encryption 1

*Oct 29 08:59:17.955: T+: session_id 3468085199 (0xCEB6C7CF), dlen 16 (0x10)

*Oct 29 08:59:17.955: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10,
data_len:0

*Oct 29 08:59:17.955: T+: msg:  Username:

*Oct 29 08:59:17.955: T+: data:

*Oct 29 08:59:17.955: T+: End Packet

*Oct 29 08:59:17.955: TPLUS(0000000B)/0/637D2F7C: Processing the reply
packet

*Oct 29 08:59:17.955: TPLUS: Received authen response status GET_USER (7)

*Oct 29 08:59:19.703: TPLUS: Queuing AAA Authentication request 11 for
processing

*Oct 29 08:59:19.703: TPLUS: processing authentication continue request id
11

*Oct 29 08:59:19.703: TPLUS: Authentication continue packet generated for 11

*Oct 29 08:59:19.703: TPLUS(0000000B)/0/WRITE/637D2F7C: Started 5 sec
timeout

*Oct 29 08:59:19.703: T+: Version 192 (0xC0), type 1, seq 3, encryption 1

*Oct 29 08:59:19.703: T+: session_id 3468085199 (0xCEB6C7CF), dlen 13 (0xD)

*Oct 29 08:59:19.703: T+: AUTHEN/CONT msg_len:8 (0x8), data_len:0 (0x0)
flags:0x0

*Oct 29 08:59:19.707: T+: User msg: <elided>

*Oct 29 08:59:19.707: T+: User data:

*Oct 29 08:59:19.707: T+: End Packet

*Oct 29 08:59:19.707: TPLUS(0000000B)/0/WRITE: wrote entire 25 bytes request

*Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: read entire 12 header bytes
(expect 16 bytes data)

*Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: read entire 28 bytes response

*Oct 29 08:59:19.707: T+: Version 192 (0xC0), type 1, seq 4, encryption 1

*Oct 29 08:59:19.707: T+: session_id 3468085199 (0xCEB6C7CF), dlen 16 (0x10)

*Oct 29 08:59:19.707: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10,
data_len:0

*Oct 29 08:59:19.707: T+: msg:  Password:

*Oct 29 08:59:19.707: T+: data:

*Oct 29 08:59:19.707: T+: End Packet

*Oct 29 08:59:19.707: TPLUS(0000000B)/0/637D2F7C: Processing the reply
packet

*Oct 29 08:59:19.711: TPLUS: Received authen response status GET_PASSWORD
(8)

*Oct 29 08:59:20.299: TPLUS: Queuing AAA Authentication request 11 for
processing

*Oct 29 08:59:20.299: TPLUS: processing authentication continue request id
11

*Oct 29 08:59:20.299: TPLUS: Authentication continue packet generated for 11

*Oct 29 08:59:20.299: TPLUS(0000000B)/0/WRITE/637D2F7C: Started 5 sec
timeout

*Oct 29 08:59:20.299: T+: Version 192 (0xC0), type 1, seq 5, encryption 1

*Oct 29 08:59:20.299: T+: session_id 3468085199 (0xCEB6C7CF), dlen 10 (0xA)

*Oct 29 08:59:20.299: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0)
flags:0x0

*Oct 29 08:59:20.299: T+: User msg: <elided>

*Oct 29 08:59:20.299: T+: User data:

*Oct 29 08:59:20.299: T+: End Packet

*Oct 29 08:59:20.299: TPLUS(0000000B)/0/WRITE: wrote entire 22 bytes request

*Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: read entire 12 header bytes
(expect 6 bytes data)

*Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: socket event 1

*Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: read entire 18 bytes response

*Oct 29 08:59:20.307: T+: Version 192 (0xC0), type 1, seq 6, encryption 1

*Oct 29 08:59:20.307: T+: session_id 3468085199 (0xCEB6C7CF), dlen 6 (0x6)

*Oct 29 08:59:20.307: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0,
data_len:0

*Oct 29 08:59:20.307: T+: msg:

*Oct 29 08:59:20.311: T+: data:

*Oct 29 08:59:20.311: T+: End Packet

*Oct 29 08:59:20.311: TPLUS(0000000B)/0/637D2F7C: Processing the reply
packet

*Oct 29 08:59:20.311: TPLUS: Received authen response status PASS (2)

 

*Oct 29 08:59:23.403: TAC+: send AUTHEN/START packet ver=192 id=2070736364

*Oct 29 08:59:23.403: TAC+: Using default tacacs server-group "tacacs1"
list.

*Oct 29 08:59:23.403: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

*Oct 29 08:59:23.403: TAC+: TCP/IP open to x.x.x.x/49 failed -- Destination
unreachable; gateway or host down

*Oct 29 08:59:23.403: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

*Oct 29 08:59:23.403: TAC+: TCP/IP open to x.x.x.x/49 failed -- Destination
unreachable; gateway or host down

 

Anyone have this working, have any hints?

 

Cheers,

Chris.


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.778 / Virus Database: 525 - Release Date: 15/10/2004

More information about the cisco-nsp mailing list