Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

This thread has been viewed 1 times

  • 1.  TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    Posted Sep 24, 2012 08:21 PM

    TACACS service logs in tracker as success when doing AAA test server against it, but actual attempted authentication fails with this in the controller's log (and no Access Tracker entry):

     

    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  RX (sock) message of type 10, len 324
    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  aal_authenticate user:khall vpnflags:0
    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  unknown user=192.168.1.119, method=Management
    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  aal_authenticate server_group:default
    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  Select server for method=Management, user=khall, essid=<>, server-group=clearpass-TACACS-srvr-gp, last_srv <>
    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|   server=clearpass, ena=1, ins=1 (1)
    Sep 25 19:06:27 :124038:  <INFO> |authmgr|  Selected server clearpass for method=Management; user=khall,  essid=<>, domain=<>, server-group=clearpass-TACACS-srvr-gp
    Sep 25 19:06:27 :199802:  <ERRS> |authmgr|  tacplus.c, tacplus_api:49: Invalid authentication protocol for TACACS+
    Sep 25 19:06:27 :124066:  <INFO> |authmgr|  Administrative User Authentication Successful: username=khall IP=192.168.1.119 auth server=clearpass
    Sep 25 19:06:27 :124003:  <INFO> |authmgr|  Authentication result=(null)(-1), method=Management, server=clearpass, user=192.168.1.119
    Sep 25 19:06:27 :124004:  <DBUG> |authmgr|  Auth server 'clearpass' response=-1
    Sep 25 19:06:27 :125027:  <DBUG> |aaa|  mgmt-auth: khall, failure, , 0
    Sep 25 19:06:27 :125022:  <WARN> |aaa|  Authentication failed for User khall, Logged in from 192.168.1.119 port 56645, Connecting to 192.168.1.2 port 4343 connection type HTTPS

     

    It says it's successful @ "Sep 25 19:06:27 :124066" but then gives "Authentication result=(null)(-1)" which ultimately results in fail. Any ideas?!?



  • 2.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    EMPLOYEE
    Posted Sep 24, 2012 09:18 PM

    Please open a support case so they can get to the bottom of this...

     



  • 3.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    Posted Apr 09, 2013 10:00 AM

    Hello,

     

     

    I have a similar issue using Tacacs for management with MSCHAPV2.

     

    With PA¨P, it's working but when I activate MSCHAPV2. I get the following log :

     

    Apr 9 15:58:50 :124038: <INFO> |authmgr| Selected server ACS-REC for method=Management; user=air, essid=<>, domain=<>, server-group=ACS_Local
    Apr 9 15:58:50 :199802: <ERRS> |authmgr| tacplus.c, tacplus_api:49: Invalid authentication protocol for TACACS+
    Apr 9 15:58:50 :124066: <INFO> |authmgr| Administrative User Authentication Successful: username=air IP=10.101.115.219 auth server=ACS-REC
    Apr 9 15:58:50 :124003: <INFO> |authmgr| Authentication result=(null)(-1), method=Management, server=ACS-REC, user=10.101.115.219
    Apr 9 15:58:50 :125022: <WARN> |aaa| Authentication failed for User air, Logged in from 10.101.115.219 port 53475, Connecting to 10.63.220.110 port 22 connection type SSH

     

     

    Is there any bug fixes ?

     

     

     

     



  • 4.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    EMPLOYEE
    Posted Apr 09, 2013 10:01 AM

    Well,

     

    what does the rejection say on the CPPM side?  That is the key to your issue...



  • 5.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    Posted Apr 09, 2013 10:10 AM

    Hello,

     

     

    We are not using CPPM but a Cisco ACS 5.0.

     

    The issue is very similar.

     

     

     



  • 6.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    EMPLOYEE
    Posted Apr 09, 2013 10:11 AM
    @pel wrote:

    Hello,

     

     

    We are not using CPPM but a Cisco ACS 5.0.

     

    The issue is very similar.

     

     

     

    Well,

     

    What message does the Cisco ACS show?  The Cisco ACS sends back the "1" response to the controller, so that is the key to your issue.

     

    Aruba should support TACAS+ with MsChap from 6.1.3.0 onwards...

     



  • 7.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    Posted Apr 09, 2013 10:30 AM

    hello,

     

     

    There is no log because there is no authentication start requets.

    (Aruba620) #show aaa authentication-server tacacs statistics

    TACACS Server Statistics
    ------------------------
    Statistics ACS-REC
    ---------- -------
    Accounting Requests 0
    Authentication Start Requests 1
    Authorization Requests 0
    Authentication Responses(Pass) 1
    Authentication Responses(Fail) 0
    Authorization Responses(Pass) 0
    Authorization Responses(Fail) 0
    Accounting Responses(Pass) 0
    Accounting Responses(Fail) 0
    Total Login Successes 1
    Total Login Failures 0
    Timeouts 0
    AvgRespTime (ms) 84
    Uptime (d:h:m) 0:0:37

    (Aruba620) #

     

     

    The one we have here is when I do PAP.

     

     

     

     



  • 8.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    EMPLOYEE
    Posted Apr 09, 2013 10:56 AM

    Got it.  What version of ArubaOS Code is this?

     



  • 9.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    Posted Apr 09, 2013 11:01 AM

    6.1.3.2



  • 10.  RE: TACACS Issue from Controller on 6.1.3.4 auth'ing against CPPM 5.2.0

    Posted Mar 01, 2014 01:09 AM

    Anybody ever find a fix for this.  I have 60 controllers ver 6.1.3.7 going to CPPM 6.3.x and I have 2 that will not authenticate.  I see nothing in the access tracker.  Support told me there was a bug and to upgrade to 6.1.3.11 on the controller so i upgraded one of them but it did not help.

     

    Please let me know if any of the above issues were resolved and what the fix was.