S4 will not authenticate using TACACS+ server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-07-2016 01:29 PM
My S4 will not authenticate CLI access using our TACACS server. It looks like all of the settings are correct; tacacs is enabled and authentication login is set to 'any'. I have mirrored this on a deployed C5 with zero issues.
The S4 is not hitting the TACACS server, via the logs, and i cannot see any TACACS traffic when i wireshark the ports.
Any ideas?
The S4 is not hitting the TACACS server, via the logs, and i cannot see any TACACS traffic when i wireshark the ports.
Any ideas?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-08-2016 04:46 AM
Without a configured management interface the S4 will use a loopback interface's or the outgoing interface's IP address as source address. That is probably not the IP configured on the TACACS+ server, and not the IP you were looking for in packet captures.
TACACS+ and RADIUS servers usually ignore all requests from IP addresses not configured as clients. Ping packets are answered irrespective of the source IP. This is probably the reason for ping working. Ping will use the outgoing interface's IP address unless a specific source address/interface is specified.
TACACS+ and RADIUS servers usually ignore all requests from IP addresses not configured as clients. Ping packets are answered irrespective of the source IP. This is probably the reason for ping working. Ping will use the outgoing interface's IP address unless a specific source address/interface is specified.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-07-2016 04:40 PM
Figured it out...
I did not have an interface setup as a 'Management Address'. Once i entered the command: "set ip interface vlan.0.XX default" everything started working fine.
I'm hypothesizing that since no interface was setup as management, it was defaulting to the lowest interface IP address, which is a loopback interface...thus the reason why no TACACS+ messages were hitting my server.
I'm still stumped on why a ping would go through though. If the TACACS+ packets were defaulting to using the loopback (since nothing was defined), why wouldn't the ping use the loopback and fail?
Learn something new everyday...
I did not have an interface setup as a 'Management Address'. Once i entered the command: "set ip interface vlan.0.XX default" everything started working fine.
I'm hypothesizing that since no interface was setup as management, it was defaulting to the lowest interface IP address, which is a loopback interface...thus the reason why no TACACS+ messages were hitting my server.
I'm still stumped on why a ping would go through though. If the TACACS+ packets were defaulting to using the loopback (since nothing was defined), why wouldn't the ping use the loopback and fail?
Learn something new everyday...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-07-2016 02:27 PM
Hi Michael,
do you use a host ACL and if so, does it allow TACACS+?
Did you configure a source interface for TACACS+ (resp. for all management traffic sourced by the S4) and allowed that IP on the TACACS+ server?
Besides this you might want to double-check the TACACS+ configuration. Firewalls or router ACLs might stop this traffic as well.
Br,
Erik
do you use a host ACL and if so, does it allow TACACS+?
Did you configure a source interface for TACACS+ (resp. for all management traffic sourced by the S4) and allowed that IP on the TACACS+ server?
Besides this you might want to double-check the TACACS+ configuration. Firewalls or router ACLs might stop this traffic as well.
Br,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-07-2016 01:36 PM
Hello Michael,
Configuration issue would be the first place I would look. Specifically the management interface. the output of "show ip interface brief" may give us a clue but we may need the whole thing.
Configuration issue would be the first place I would look. Specifically the management interface. the output of "show ip interface brief" may give us a clue but we may need the whole thing.
