Verifying and Troubleshooting Router-to-ACS Server Interactions
This section discusses the commands that enable you to verify/troubleshoot AAA when the router is using the ACS server to authenticate or authorize the users who are trying to connect to the router.
The chances that everything is configured perfectly the very first time on both the router and the ACS server to allow the router to call upon the ACS server for authentication of users and authorization of users are not very good. The good news is that after some practice and good documentation skills implementing ACS and Cisco router configurations, your ability will improve. Whether you are experienced or brand new to ACS, the tools covered right now will prove helpful in troubleshooting and verifying the configuration.
Back at the router, one of the first things you might want to do if you have not done so already is verify that you have reachability between the router and the ACS server. You might want to consider using ping to verify the connectivity, as shown in Example 3-3.
Example 3-3 Verifying Basic Connectivity
R1# ping 192.168.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/32 ms
R1#
If the ping was not successful, it could be due to access control filtering that is denying Internet Control Message Protocol (ICMP) between the router and the ACS server, the ACS server may physically be powered off or its network cable may be disconnected, the ACS server may be connected to a switch port that is misconfigured and is in the wrong VLAN, or it may be a general routing issue or the network is not fully converged or able to route correctly. Verifying the basic routing and connectivity is a fantastic start, and after that is in place, here is the very next tool you should use, called test (see Example 3-4).
Example 3-4 Testing AAA Between the Router and the ACS
R1# test aaa group tacacs+ admin cisco123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
In the syntax for the AAA test, we include the group (in this case, a group of one TACACS+ server and a username and the password for that user). The keyword legacy is also used as part of the syntax for the test. This is a cool tool because it enables you to verify that the ACS to router authentication component is working, before testing your authentication method list with Telnet. Another great thing to do when troubleshooting is to look at the reports on the ACS server that may indicate a reason as to why a problem occurred. You can find these reports by navigating to Monitoring & Reports > Reports > Favorites. Figure 3-19 shows an example.
From here, click the Authentications – TACACS – Today link for information and indications as to why errors may be occurring, as shown in Figure 3-20.
One common occurrence is that after the reports are looked at, there are no error messages about the ACS client (the router) that we believe is trying to use the ACS, yet the authentication test still fails. In cases such as these, you want to verify no filters are blocking the traffic from the router to the ACS and vice versa, and verify that in the router config it has the correct IP address of the ACS server. If the router does not have the correct IP address of the ACS server, there will never be any records on the ACS server about that misconfigured router.
Now that we know we have functional AAA connectivity between the router and the server, let’s test the method lists for authentication and authorization that we placed on the vty lines.
A simple Telnet to that router can do the job. It is often easier to start on the router, perhaps from a console port, and telnet back to that same router. A Telnet session, regardless of its source, should trigger the authentication, and with some debug commands in place, we can verify that ACS is working correctly. In this example, we use a login from a remote workstation and look at the debug messages on the console of the router, as shown in Example 3-5.
Example 3-5 Using debug Commands to Verify Functionality
! Verifying what debugging is currently in place on the router
R1# show debug
General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
! on a remote machine, we telnet and authenticate as the user admin, and
! simply view the debug output on the console of the router receiving the
! telnet session
R1#
AAA/BIND(00000083): Bind i/f
! the session came in on a VTY line, which triggered the authentication
! method list associated with that line
AAA/AUTHEN/LOGIN (00000083): Pick method list 'Login_Authen_via_TACACS'
TPLUS: Queuing AAA Authentication request 131 for processing
TPLUS: processing authentication start request id 131
TPLUS: Authentication start packet created for 131()
TPLUS: Using server 192.168.1.252
! Sending a TACACS+ request to contact the server
TPLUS(00000083)/0/NB_WAIT/68BD742C: Started 5 sec timeout
TPLUS(00000083)/0/NB_WAIT: socket event 2
TPLUS(00000083)/0/NB_WAIT: wrote entire 33 bytes request
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: Would block while reading
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 12 header bytes (expect 16 bytes data)
R1#
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 28 bytes response
! Router got a message back from ACS
! Router will now prompt the user for their username
TPLUS(00000083)/0/68BD742C: Processing the reply packet
TPLUS: Received authen response status GET_USER (7)
R1#
TPLUS: Queuing AAA Authentication request 131 for processing
TPLUS: processing authentication continue request id 131
TPLUS: Authentication continue packet generated for 131
TPLUS(00000083)/0/WRITE/68BD742C: Started 5 sec timeout
TPLUS(00000083)/0/WRITE: wrote entire 22 bytes request
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 12 header bytes (expect 16 bytes data)
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 28 bytes response
TPLUS(00000083)/0/68BD742C: Processing the reply packet
! Router will now prompt user for the user password
TPLUS: Received authen response status GET_PASSWORD (8)
R1#
TPLUS: Queuing AAA Authentication request 131 for processing
TPLUS: processing authentication continue request id 131
TPLUS: Authentication continue packet generated for 131
TPLUS(00000083)/0/WRITE/68BD742C: Started 5 sec timeout
TPLUS(00000083)/0/WRITE: wrote entire 25 bytes request
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 12 header bytes (expect 6 bytes data)
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 18 bytes response
TPLUS(00000083)/0/68BD742C: Processing the reply packet
! The ACS server said YES to the username/password combination.
TPLUS: Received authen response status PASS (2)
! The router now begins the authorization process for the user
! using the authorization methods in the list associated with the VTY lines
AAA/AUTHOR (0x83): Pick method list 'Exec_Authorization_via_TACACS'
TPLUS: Queuing AAA Authorization request 131 for processing
TPLUS: processing authorization request id 131
TPLUS: Protocol set to None .....Skipping
TPLUS: Sending AV service=shell
TPLUS: Sending AV cmd*
TPLUS: Authorization request created for 131(admin)
TPLUS: using previously set server 192.168.1.252 from group tacacs+
TPLUS(00000083)/0/NB_WAIT/68BD742C: Started 5 sec timeout
TPLUS(00000083)/0/NB_WAIT: socket event 2
TPLUS(00000083)/0/NB_WAIT: wrote entire 57 bytes request
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: Would block while reading
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 12 header bytes (expect 18 bytes data)
TPLUS(00000083)/0/READ: socket event 1
TPLUS(00000083)/0/READ: read entire 30 bytes response
TPLUS(00000083)/0/68BD742C: Processing the reply packet
! Got the reply from the ACS server saying yes to authorization
! and that the user should be placed at privilege level 15
TPLUS: Processed AV priv-lvl=15
TPLUS: received authorization response for 131: PASS
AAA/AUTHOR/EXEC(00000083): processing AV cmd=
AAA/AUTHOR/EXEC(00000083): processing AV priv-lvl=15
AAA/AUTHOR/EXEC(00000083): Authorization successful
R1#
R1# show users
Line User Host(s) Idle Location
2 vty 0 admin idle 00:00:51 10.0.0.25
! We could do the same test again, except this time, login as the user
! "help-desk"
! The results will be nearly identical, with the exception that the user
! will be provided with an exec shell (CLI) at privilege level 1
R1#
AAA/BIND(00000084): Bind i/f
AAA/AUTHEN/LOGIN (00000084): Pick method list 'Login_Authen_via_TACACS'
TPLUS: Queuing AAA Authentication request 132 for processing
TPLUS: processing authentication start request id 132
TPLUS: Authentication start packet created for 132()
TPLUS: Using server 192.168.1.252
TPLUS(00000084)/0/NB_WAIT/68793774: Started 5 sec timeout
TPLUS(00000084)/0/NB_WAIT: socket event 2
TPLUS(00000084)/0/NB_WAIT: wrote entire 33 bytes request
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: Would block while reading
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 12 header bytes (expect 16 bytes data)
R1#
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 28 bytes response
TPLUS(00000084)/0/68793774: Processing the reply packet
TPLUS: Received authen response status GET_USER (7)
R1#
TPLUS: Queuing AAA Authentication request 132 for processing
TPLUS: processing authentication continue request id 132
TPLUS: Authentication continue packet generated for 132
TPLUS(00000084)/0/WRITE/68793774: Started 5 sec timeout
TPLUS(00000084)/0/WRITE: wrote entire 26 bytes request
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 12 header bytes (expect 16 bytes data)
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 28 bytes response
TPLUS(00000084)/0/68793774: Processing the reply packet
TPLUS: Received authen response status GET_PASSWORD (8)
R1#
TPLUS: Queuing AAA Authentication request 132 for processing
TPLUS: processing authentication continue request id 132
TPLUS: Authentication continue packet generated for 132
TPLUS(00000084)/0/WRITE/68793774: Started 5 sec timeout
TPLUS(00000084)/0/WRITE: wrote entire 25 bytes request
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 12 header bytes (expect 6 bytes data)
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 18 bytes response
TPLUS(00000084)/0/68793774: Processing the reply packet
TPLUS: Received authen response status PASS (2)
AAA/AUTHOR (0x84): Pick method list 'Exec_Authorization_via_TACACS'
TPLUS: Queuing AAA Authorization request 132 for processing
TPLUS: processing authorization request id 132
TPLUS: Protocol set to None .....Skipping
TPLUS: Sending AV service=shell
TPLUS: Sending AV cmd*
TPLUS: Authorization request created for 132(help-desk)
TPLUS: using previously set server 192.168.1.252 from group tacacs+
TPLUS(00000084)/0/NB_WAIT/68793774: Started 5 sec timeout
TPLUS(00000084)/0/NB_WAIT: socket event 2
TPLUS(00000084)/0/NB_WAIT: wrote entire 61 bytes request
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: Would block while reading
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 12 header bytes (expect 17 bytes data)
TPLUS(00000084)/0/READ: socket event 1
TPLUS(00000084)/0/READ: read entire 29 bytes response
TPLUS(00000084)/0/68793774: Processing the reply packet
TPLUS: Processed AV priv-lvl=1
TPLUS: received authorization response for 132: PASS
AAA/AUTHOR/EXEC(00000084): processing AV cmd=
AAA/AUTHOR/EXEC(00000084): processing AV priv-lvl=1
AAA/AUTHOR/EXEC(00000084): Authorization successful
R1#
R1# show users
Line User Host(s) Idle Location
2 vty 0 help-desk idle 00:01:24 10.0.0.25
! the show users command displays information about all logged in users. In this
! example, the help desk is logged in from a host with the IP address 10.0.0.25.