[c-nsp] TACACS+/MPLS VPN

Dennis Peng dpeng at cisco.com
Fri Oct 29 20:29:30 EDT 2004


Chris Roberts [croberts at bongle.co.uk] wrote:
> ?lo,
> 
>  
> 
> I?m trying to get TACACS+ authentication for exec logins working in an MPLS
> VPN on one of our 7204VXRs (NPE-400). I thought I?d bounce this here aswell
> as opening a TAC case, since I?m sure someone else must have tried this by
> now.
> 
> I first tried on 12.2(25)S1, by simply specifying a source-interface for the
> TACACS+ queries, however no queries are sent and the TACACS+ server is
> marked as unreachable.

The VRF-aware TACACS+ feature isn't present in 12.2S yet, but will be
available in a release which is scheduled for the beginning of next
year.

> This is a bit odd, since simply specifying a source
> interface was enough to get TFTP working in an MPLS VPN. Upgrading to
> 12.3(8)T5 fixed authentication, however when trying to ?enable?, the TACACS+
> server cannot be contacted.

This appears to be a bug which I've been able to recreate. I've opened
up a bug for you, CSCsa40461.

Dennis

>  
> 
> I currently have this:
> 
> aaa group server tacacs+ tacacs1
> 
>  server x.x.x.x
> 
>  ip vrf forwarding mgmt
> 
> !
> 
> aaa authentication login default group tacacs1 line
> 
> aaa authentication enable default group tacacs1 line
> 
> aaa authentication ppp default group radius
> 
> aaa authorization commands 15 default group tacacs1 none
> 
> aaa authorization network default group radius
> 
> aaa accounting delay-start
> 
> aaa accounting network default start-stop group radius
> 
> aaa session-id common
> 
>  
> 
> ip tacacs source-interface FastEthernet0/1
> 
>  
> 
> A debug during a successful login, and then a failed ?enable? comes up with:
> 
>  
> 
> *Oct 29 08:59:17.951: TPLUS: Queuing AAA Authentication request 11 for
> processing
> 
> *Oct 29 08:59:17.951: TPLUS: processing authentication start request id 11
> 
> *Oct 29 08:59:17.951: TPLUS: Authentication start packet created for 11()
> 
> *Oct 29 08:59:17.951: TPLUS: Using server x.x.x.x
> 
> *Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT/637D2F7C: Started 5 sec
> timeout
> 
> *Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT: socket event 2
> 
> *Oct 29 08:59:17.951: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
> 
> *Oct 29 08:59:17.951: T+: session_id 3468085199 (0xCEB6C7CF), dlen 26 (0x1A)
> 
> *Oct 29 08:59:17.951: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
> 
> *Oct 29 08:59:17.951: T+: svc:LOGIN user_len:0 port_len:4 (0x4) raddr_len:14
> (0xE) data_len:0
> 
> *Oct 29 08:59:17.951: T+: user:
> 
> *Oct 29 08:59:17.951: T+: port:  tty3
> 
> *Oct 29 08:59:17.951: T+: rem_addr:  y.y.y.y
> 
> *Oct 29 08:59:17.951: T+: data:
> 
> *Oct 29 08:59:17.951: T+: End Packet
> 
> *Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT: wrote entire 38 bytes
> request
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: Would block while reading
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: read entire 28 bytes response
> 
> *Oct 29 08:59:17.955: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
> 
> *Oct 29 08:59:17.955: T+: session_id 3468085199 (0xCEB6C7CF), dlen 16 (0x10)
> 
> *Oct 29 08:59:17.955: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10,
> data_len:0
> 
> *Oct 29 08:59:17.955: T+: msg:  Username:
> 
> *Oct 29 08:59:17.955: T+: data:
> 
> *Oct 29 08:59:17.955: T+: End Packet
> 
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/637D2F7C: Processing the reply
> packet
> 
> *Oct 29 08:59:17.955: TPLUS: Received authen response status GET_USER (7)
> 
> *Oct 29 08:59:19.703: TPLUS: Queuing AAA Authentication request 11 for
> processing
> 
> *Oct 29 08:59:19.703: TPLUS: processing authentication continue request id
> 11
> 
> *Oct 29 08:59:19.703: TPLUS: Authentication continue packet generated for 11
> 
> *Oct 29 08:59:19.703: TPLUS(0000000B)/0/WRITE/637D2F7C: Started 5 sec
> timeout
> 
> *Oct 29 08:59:19.703: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
> 
> *Oct 29 08:59:19.703: T+: session_id 3468085199 (0xCEB6C7CF), dlen 13 (0xD)
> 
> *Oct 29 08:59:19.703: T+: AUTHEN/CONT msg_len:8 (0x8), data_len:0 (0x0)
> flags:0x0
> 
> *Oct 29 08:59:19.707: T+: User msg: <elided>
> 
> *Oct 29 08:59:19.707: T+: User data:
> 
> *Oct 29 08:59:19.707: T+: End Packet
> 
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/WRITE: wrote entire 25 bytes request
> 
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
> 
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: read entire 28 bytes response
> 
> *Oct 29 08:59:19.707: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
> 
> *Oct 29 08:59:19.707: T+: session_id 3468085199 (0xCEB6C7CF), dlen 16 (0x10)
> 
> *Oct 29 08:59:19.707: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10,
> data_len:0
> 
> *Oct 29 08:59:19.707: T+: msg:  Password:
> 
> *Oct 29 08:59:19.707: T+: data:
> 
> *Oct 29 08:59:19.707: T+: End Packet
> 
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/637D2F7C: Processing the reply
> packet
> 
> *Oct 29 08:59:19.711: TPLUS: Received authen response status GET_PASSWORD
> (8)
> 
> *Oct 29 08:59:20.299: TPLUS: Queuing AAA Authentication request 11 for
> processing
> 
> *Oct 29 08:59:20.299: TPLUS: processing authentication continue request id
> 11
> 
> *Oct 29 08:59:20.299: TPLUS: Authentication continue packet generated for 11
> 
> *Oct 29 08:59:20.299: TPLUS(0000000B)/0/WRITE/637D2F7C: Started 5 sec
> timeout
> 
> *Oct 29 08:59:20.299: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
> 
> *Oct 29 08:59:20.299: T+: session_id 3468085199 (0xCEB6C7CF), dlen 10 (0xA)
> 
> *Oct 29 08:59:20.299: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0)
> flags:0x0
> 
> *Oct 29 08:59:20.299: T+: User msg: <elided>
> 
> *Oct 29 08:59:20.299: T+: User data:
> 
> *Oct 29 08:59:20.299: T+: End Packet
> 
> *Oct 29 08:59:20.299: TPLUS(0000000B)/0/WRITE: wrote entire 22 bytes request
> 
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: read entire 12 header bytes
> (expect 6 bytes data)
> 
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: socket event 1
> 
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: read entire 18 bytes response
> 
> *Oct 29 08:59:20.307: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
> 
> *Oct 29 08:59:20.307: T+: session_id 3468085199 (0xCEB6C7CF), dlen 6 (0x6)
> 
> *Oct 29 08:59:20.307: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0,
> data_len:0
> 
> *Oct 29 08:59:20.307: T+: msg:
> 
> *Oct 29 08:59:20.311: T+: data:
> 
> *Oct 29 08:59:20.311: T+: End Packet
> 
> *Oct 29 08:59:20.311: TPLUS(0000000B)/0/637D2F7C: Processing the reply
> packet
> 
> *Oct 29 08:59:20.311: TPLUS: Received authen response status PASS (2)
> 
>  
> 
> *Oct 29 08:59:23.403: TAC+: send AUTHEN/START packet ver=192 id=2070736364
> 
> *Oct 29 08:59:23.403: TAC+: Using default tacacs server-group "tacacs1"
> list.
> 
> *Oct 29 08:59:23.403: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
> 
> *Oct 29 08:59:23.403: TAC+: TCP/IP open to x.x.x.x/49 failed -- Destination
> unreachable; gateway or host down
> 
> *Oct 29 08:59:23.403: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
> 
> *Oct 29 08:59:23.403: TAC+: TCP/IP open to x.x.x.x/49 failed -- Destination
> unreachable; gateway or host down
> 
>  
> 
> Anyone have this working, have any hints?
> 
>  
> 
> Cheers,
> 
> Chris.
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.778 / Virus Database: 525 - Release Date: 15/10/2004
>  
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list