I've had TACACS working in my lab before but recently I started over in order to work on some proof of concept stuff to eventually use at work. I've just about used up my google-fu skills and I'm still coming up empty. I'll provide as much detail here as I can.
High level, I'm running the free version of tacacs.net on Windows Server 2016. I can confirm reachability to the server from my test devices (via ping and also telnet to port 49). I can see via packet capture that the server is receiving TACACS packets but from the debug output on a switch I see TAC+: 10.10.2.26 (62167124) AUTHEN/START/LOGIN/ASCII queuedNo authoritative response from any server.
Here is the relevant config from the switch (switch IP is 10.10.1.2 and the server is at 10.10.2.26):
aaa new-model aaa authentication login default local aaa authentication login tacauthen group tacacs+ local aaa authorization console aaa authorization exec default local aaa authorization exec tacauthor group tacacs+ local aaa session-id common ! ! tacacs-server host 10.10.2.26 key cisco ! ! line vty 0 4 exec-timeout 0 0 authorization exec tacauthor logging synchronous login authentication tacauthen transport input all line vty 5 14 exec-timeout 0 0 authorization exec tacauthor logging synchronous login authentication tacauthen transport input all line vty 15 exec-timeout 0 0 authorization exec tacauthor logging synchronous login authentication tacauthen transport input all Here is the debug output resulting from the command test aaa group tacacs+ ciscouser ciscopass legacy:
The tacacs.net config is default except for the ciscouser/ciscopass user I set up. The clients.xml file is totally default and should be allowing all 1918 addresses as clients.
I have a packet capture from the server during the test command above but I'm not sure of the best way to share a pcapng file online. If someone can help there I'd be happy to share that as well.
There is a firewall in-between the client and server but it's wide open so I don't think that's the issue. Can anybody help point me in the right direction?
No comments:
Post a Comment