[c-nsp] TACACS+/MPLS VPN
Dennis Peng
dpeng at cisco.com
Fri Oct 29 20:29:30 EDT 2004
Chris Roberts [croberts at bongle.co.uk] wrote:
> ?lo,
>
>
>
> I?m trying to get TACACS+ authentication for exec logins working in an MPLS
> VPN on one of our 7204VXRs (NPE-400). I thought I?d bounce this here aswell
> as opening a TAC case, since I?m sure someone else must have tried this by
> now.
>
> I first tried on 12.2(25)S1, by simply specifying a source-interface for the
> TACACS+ queries, however no queries are sent and the TACACS+ server is
> marked as unreachable.
The VRF-aware TACACS+ feature isn't present in 12.2S yet, but will be
available in a release which is scheduled for the beginning of next
year.
> This is a bit odd, since simply specifying a source
> interface was enough to get TFTP working in an MPLS VPN. Upgrading to
> 12.3(8)T5 fixed authentication, however when trying to ?enable?, the TACACS+
> server cannot be contacted.
This appears to be a bug which I've been able to recreate. I've opened
up a bug for you, CSCsa40461.
Dennis
>
>
> I currently have this:
>
> aaa group server tacacs+ tacacs1
>
> server x.x.x.x
>
> ip vrf forwarding mgmt
>
> !
>
> aaa authentication login default group tacacs1 line
>
> aaa authentication enable default group tacacs1 line
>
> aaa authentication ppp default group radius
>
> aaa authorization commands 15 default group tacacs1 none
>
> aaa authorization network default group radius
>
> aaa accounting delay-start
>
> aaa accounting network default start-stop group radius
>
> aaa session-id common
>
>
>
> ip tacacs source-interface FastEthernet0/1
>
>
>
> A debug during a successful login, and then a failed ?enable? comes up with:
>
>
>
> *Oct 29 08:59:17.951: TPLUS: Queuing AAA Authentication request 11 for
> processing
>
> *Oct 29 08:59:17.951: TPLUS: processing authentication start request id 11
>
> *Oct 29 08:59:17.951: TPLUS: Authentication start packet created for 11()
>
> *Oct 29 08:59:17.951: TPLUS: Using server x.x.x.x
>
> *Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT/637D2F7C: Started 5 sec
> timeout
>
> *Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT: socket event 2
>
> *Oct 29 08:59:17.951: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
>
> *Oct 29 08:59:17.951: T+: session_id 3468085199 (0xCEB6C7CF), dlen 26 (0x1A)
>
> *Oct 29 08:59:17.951: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
>
> *Oct 29 08:59:17.951: T+: svc:LOGIN user_len:0 port_len:4 (0x4) raddr_len:14
> (0xE) data_len:0
>
> *Oct 29 08:59:17.951: T+: user:
>
> *Oct 29 08:59:17.951: T+: port: tty3
>
> *Oct 29 08:59:17.951: T+: rem_addr: y.y.y.y
>
> *Oct 29 08:59:17.951: T+: data:
>
> *Oct 29 08:59:17.951: T+: End Packet
>
> *Oct 29 08:59:17.951: TPLUS(0000000B)/0/NB_WAIT: wrote entire 38 bytes
> request
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: Would block while reading
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/READ: read entire 28 bytes response
>
> *Oct 29 08:59:17.955: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
>
> *Oct 29 08:59:17.955: T+: session_id 3468085199 (0xCEB6C7CF), dlen 16 (0x10)
>
> *Oct 29 08:59:17.955: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10,
> data_len:0
>
> *Oct 29 08:59:17.955: T+: msg: Username:
>
> *Oct 29 08:59:17.955: T+: data:
>
> *Oct 29 08:59:17.955: T+: End Packet
>
> *Oct 29 08:59:17.955: TPLUS(0000000B)/0/637D2F7C: Processing the reply
> packet
>
> *Oct 29 08:59:17.955: TPLUS: Received authen response status GET_USER (7)
>
> *Oct 29 08:59:19.703: TPLUS: Queuing AAA Authentication request 11 for
> processing
>
> *Oct 29 08:59:19.703: TPLUS: processing authentication continue request id
> 11
>
> *Oct 29 08:59:19.703: TPLUS: Authentication continue packet generated for 11
>
> *Oct 29 08:59:19.703: TPLUS(0000000B)/0/WRITE/637D2F7C: Started 5 sec
> timeout
>
> *Oct 29 08:59:19.703: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
>
> *Oct 29 08:59:19.703: T+: session_id 3468085199 (0xCEB6C7CF), dlen 13 (0xD)
>
> *Oct 29 08:59:19.703: T+: AUTHEN/CONT msg_len:8 (0x8), data_len:0 (0x0)
> flags:0x0
>
> *Oct 29 08:59:19.707: T+: User msg: <elided>
>
> *Oct 29 08:59:19.707: T+: User data:
>
> *Oct 29 08:59:19.707: T+: End Packet
>
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/WRITE: wrote entire 25 bytes request
>
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: read entire 12 header bytes
> (expect 16 bytes data)
>
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/READ: read entire 28 bytes response
>
> *Oct 29 08:59:19.707: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
>
> *Oct 29 08:59:19.707: T+: session_id 3468085199 (0xCEB6C7CF), dlen 16 (0x10)
>
> *Oct 29 08:59:19.707: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10,
> data_len:0
>
> *Oct 29 08:59:19.707: T+: msg: Password:
>
> *Oct 29 08:59:19.707: T+: data:
>
> *Oct 29 08:59:19.707: T+: End Packet
>
> *Oct 29 08:59:19.707: TPLUS(0000000B)/0/637D2F7C: Processing the reply
> packet
>
> *Oct 29 08:59:19.711: TPLUS: Received authen response status GET_PASSWORD
> (8)
>
> *Oct 29 08:59:20.299: TPLUS: Queuing AAA Authentication request 11 for
> processing
>
> *Oct 29 08:59:20.299: TPLUS: processing authentication continue request id
> 11
>
> *Oct 29 08:59:20.299: TPLUS: Authentication continue packet generated for 11
>
> *Oct 29 08:59:20.299: TPLUS(0000000B)/0/WRITE/637D2F7C: Started 5 sec
> timeout
>
> *Oct 29 08:59:20.299: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
>
> *Oct 29 08:59:20.299: T+: session_id 3468085199 (0xCEB6C7CF), dlen 10 (0xA)
>
> *Oct 29 08:59:20.299: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0)
> flags:0x0
>
> *Oct 29 08:59:20.299: T+: User msg: <elided>
>
> *Oct 29 08:59:20.299: T+: User data:
>
> *Oct 29 08:59:20.299: T+: End Packet
>
> *Oct 29 08:59:20.299: TPLUS(0000000B)/0/WRITE: wrote entire 22 bytes request
>
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: read entire 12 header bytes
> (expect 6 bytes data)
>
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: socket event 1
>
> *Oct 29 08:59:20.307: TPLUS(0000000B)/0/READ: read entire 18 bytes response
>
> *Oct 29 08:59:20.307: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
>
> *Oct 29 08:59:20.307: T+: session_id 3468085199 (0xCEB6C7CF), dlen 6 (0x6)
>
> *Oct 29 08:59:20.307: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0,
> data_len:0
>
> *Oct 29 08:59:20.307: T+: msg:
>
> *Oct 29 08:59:20.311: T+: data:
>
> *Oct 29 08:59:20.311: T+: End Packet
>
> *Oct 29 08:59:20.311: TPLUS(0000000B)/0/637D2F7C: Processing the reply
> packet
>
> *Oct 29 08:59:20.311: TPLUS: Received authen response status PASS (2)
>
>
>
> *Oct 29 08:59:23.403: TAC+: send AUTHEN/START packet ver=192 id=2070736364
>
> *Oct 29 08:59:23.403: TAC+: Using default tacacs server-group "tacacs1"
> list.
>
> *Oct 29 08:59:23.403: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
>
> *Oct 29 08:59:23.403: TAC+: TCP/IP open to x.x.x.x/49 failed -- Destination
> unreachable; gateway or host down
>
> *Oct 29 08:59:23.403: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5
>
> *Oct 29 08:59:23.403: TAC+: TCP/IP open to x.x.x.x/49 failed -- Destination
> unreachable; gateway or host down
>
>
>
> Anyone have this working, have any hints?
>
>
>
> Cheers,
>
> Chris.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.778 / Virus Database: 525 - Release Date: 15/10/2004
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list