S4 will not authenticate using TACACS+ server.

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
My S4 will not authenticate CLI access using our TACACS server.  It looks like all of the settings are correct; tacacs is enabled and authentication login is set to 'any'.  I have mirrored this on a deployed C5 with zero issues.

The S4 is not hitting the TACACS server, via the logs, and i cannot see any TACACS traffic when i wireshark the ports.

Any ideas?
Photo of Michael Smith

Michael Smith

  • 210 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,648 Points 2k badge 2x thumb
Hello Michael,

Configuration issue would be the first place I would look.  Specifically the management interface.  the output of "show ip interface brief" may give us a clue but we may need the whole thing. 
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Michael,

do you use a host ACL and if so, does it allow TACACS+?

Did you configure a source interface for TACACS+ (resp. for all management traffic sourced by the S4) and allowed that IP on the TACACS+ server?

Besides this you might want to double-check the TACACS+ configuration. Firewalls or router ACLs might stop this traffic as well.

Br,
Erik
Photo of Michael Smith

Michael Smith

  • 210 Points 100 badge 2x thumb
Figured it out...

I did not have an interface setup as a 'Management Address'.  Once i entered the command: "set ip interface vlan.0.XX default" everything started working fine.

I'm hypothesizing that since no interface was setup as management, it was defaulting to the lowest interface IP address, which is a loopback interface...thus the reason why no TACACS+ messages were hitting my server.

I'm still stumped on why a ping would go through though.  If the TACACS+ packets were defaulting to using the loopback (since nothing was defined), why wouldn't the ping use the loopback and fail?

Learn something new everyday...
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Without a configured management interface the S4 will use a loopback interface's or the outgoing interface's IP address as source address. That is probably not the IP configured on the TACACS+ server, and not the IP you were looking for in packet captures.

TACACS+ and RADIUS servers usually ignore all requests from IP addresses not configured as clients. Ping packets are answered irrespective of the source IP. This is probably the reason for ping working. Ping will use the outgoing interface's IP address unless a specific source address/interface is specified.
(Edited)