Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎04-03-2007

TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

TACACS service logs in tracker as success when doing AAA test server against it, but actual attempted authentication fails with this in the controller's log (and no Access Tracker entry):

 

Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  RX (sock) message of type 10, len 324
Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  aal_authenticate user:khall vpnflags:0
Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  unknown user=192.168.1.119, method=Management
Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  aal_authenticate server_group:default
Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  Select server for method=Management, user=khall, essid=<>, server-group=clearpass-TACACS-srvr-gp, last_srv <>
Sep 25 19:06:27 :124004:  <DBUG> |authmgr|   server=clearpass, ena=1, ins=1 (1)
Sep 25 19:06:27 :124038:  <INFO> |authmgr|  Selected server clearpass for method=Management; user=khall,  essid=<>, domain=<>, server-group=clearpass-TACACS-srvr-gp
Sep 25 19:06:27 :199802:  <ERRS> |authmgr|  tacplus.c, tacplus_api:49: Invalid authentication protocol for TACACS+
Sep 25 19:06:27 :124066:  <INFO> |authmgr|  Administrative User Authentication Successful: username=khall IP=192.168.1.119 auth server=clearpass
Sep 25 19:06:27 :124003:  <INFO> |authmgr|  Authentication result=(null)(-1), method=Management, server=clearpass, user=192.168.1.119
Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  Auth server 'clearpass' response=-1
Sep 25 19:06:27 :125027:  <DBUG> |aaa|  mgmt-auth: khall, failure, , 0
Sep 25 19:06:27 :125022:  <WARN> |aaa|  Authentication failed for User khall, Logged in from 192.168.1.119 port 56645, Connecting to 192.168.1.2 port 4343 connection type HTTPS

 

It says it's successful @ "Sep 25 19:06:27 :124066" but then gives "Authentication result=(null)(-1)" which ultimately results in fail. Any ideas?!?

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

Please open a support case so they can get to the bottom of this...

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
pel
Occasional Contributor I
Posts: 5
Registered: ‎10-12-2012

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

Hello,

 

 

I have a similar issue using Tacacs for management with MSCHAPV2.

 

With PA¨P, it's working but when I activate MSCHAPV2. I get the following log :

 

Apr 9 15:58:50 :124038: <INFO> |authmgr| Selected server ACS-REC for method=Management; user=air, essid=<>, domain=<>, server-group=ACS_Local
Apr 9 15:58:50 :199802: <ERRS> |authmgr| tacplus.c, tacplus_api:49: Invalid authentication protocol for TACACS+
Apr 9 15:58:50 :124066: <INFO> |authmgr| Administrative User Authentication Successful: username=air IP=10.101.115.219 auth server=ACS-REC
Apr 9 15:58:50 :124003: <INFO> |authmgr| Authentication result=(null)(-1), method=Management, server=ACS-REC, user=10.101.115.219
Apr 9 15:58:50 :125022: <WARN> |aaa| Authentication failed for User air, Logged in from 10.101.115.219 port 53475, Connecting to 10.63.220.110 port 22 connection type SSH

 

 

Is there any bug fixes ?

 

 

 

 

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

Well,

 

what does the rejection say on the CPPM side?  That is the key to your issue...

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
pel
Occasional Contributor I
Posts: 5
Registered: ‎10-12-2012

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

Hello,

 

 

We are not using CPPM but a Cisco ACS 5.0.

 

The issue is very similar.

 

 

 

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

[ Edited ]

pel wrote:

Hello,

 

 

We are not using CPPM but a Cisco ACS 5.0.

 

The issue is very similar.

 

 

 


Well,

 

What message does the Cisco ACS show?  The Cisco ACS sends back the "1" response to the controller, so that is the key to your issue.

 

Aruba should support TACAS+ with MsChap from 6.1.3.0 onwards...

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
pel
Occasional Contributor I
Posts: 5
Registered: ‎10-12-2012

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

hello,

 

 

There is no log because there is no authentication start requets.

(Aruba620) #show aaa authentication-server tacacs statistics

TACACS Server Statistics
------------------------
Statistics ACS-REC
---------- -------
Accounting Requests 0
Authentication Start Requests 1
Authorization Requests 0
Authentication Responses(Pass) 1
Authentication Responses(Fail) 0
Authorization Responses(Pass) 0
Authorization Responses(Fail) 0
Accounting Responses(Pass) 0
Accounting Responses(Fail) 0
Total Login Successes 1
Total Login Failures 0
Timeouts 0
AvgRespTime (ms) 84
Uptime (d:h:m) 0:0:37

(Aruba620) #

 

 

The one we have here is when I do PAP.

 

 

 

 

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

Got it.  What version of ArubaOS Code is this?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
pel
Occasional Contributor I
Posts: 5
Registered: ‎10-12-2012

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

6.1.3.2

Regular Contributor I
Posts: 154
Registered: ‎10-20-2010

Re: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

Anybody ever find a fix for this.  I have 60 controllers ver 6.1.3.7 going to CPPM 6.3.x and I have 2 that will not authenticate.  I see nothing in the access tracker.  Support told me there was a bug and to upgrade to 6.1.3.11 on the controller so i upgraded one of them but it did not help.

 

Please let me know if any of the above issues were resolved and what the fix was.

Search Airheads
Showing results for 
Search instead for 
Did you mean: