Guest

Cisco Secure Access Control System

ACS 5.x AAA Caching in Cisco IOS Configuration Example

Techzone Article content

Document ID: 116505

Updated: Sep 26, 2013

Contributed by Minakshi Kumar, Cisco TAC Engineer.

   Print

Introduction

This document describes the steps necessary in order to configure caching of TACACS+ admin user credentials for Telnet and VTY line access. Authorization and Authentication Caching was integrated in Cisco IOS® Version 15.0(1)M. This feature enables a router to store Authentication, Authorization, and Accounting (AAA) credentials in its cache after it receives a TACACS+ reply to an AAA request. The cache is used in order to boost performance and reduce the amount of requests sent to the AAA server, or as a fall-back authentication method in case the AAA server is unreachable.

Prerequisites

Requirements

Cisco recommends that you:

  • Confirm IP connectivity between the router and the Cisco Secure Access Control Server (ACS) Version 5.x.
  • Define the router on the ACS as an AAA Client (Network Devices) with the same shared secret.

Components Used

The information in this document is based on these software and hardware versions:

  • ACS Version 5
  • Routers that run Cisco IOS Version 15.1

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Configuration on a Cisco IOS Router

  1. Enter these commands in order to define the TACACS server and the pre-shared key:
    Router(config)#tacacs-server host 192.168.159.41
    Router(config)#tacacs-server timeout 4
    Router(config)#tacacs-server key SECRET12345


  2. Enter these commands in order to define the cache profile groups.

    Note: Each profile name must match an AAA username.


    Router(config)#aaa cache profile admin
    Router(config-profile-map)# profile peteradmin


  3. Enter these commands in order to assign the authentication and authorization caching rules to the AAA server groups:
    Router(config-profile-map)# aaa group server tacacs+ admin-tac
    Router(config-sg-tacacs+)# server 192.168.159.41
    Router(config-sg-tacacs+)# cache authentication profile admin
    Router(config-sg-tacacs+)# cache authorization profile admin


  4. Define the authentication and authorization method lists that contain the cache method. In this configuration example, the cache is only used if the AAA servers do not respond. If the order is switched to cache admin-tac group admin-tac, the cache is looked-up first.

    Note: The enable password from TACACS is not cached.


    aaa authentication login mtac group admin-tac cache admin-tac local 
    aaa authorization exec default group admin-tac cache admin-tac local
    aaa accounting exec default start-stop group admin-tac


  5. Enter these commands in order to configure TACACS+ on the VTY lines:
    Router(config)#line vty 0 4
    Router(config-line)#login authentication mtac

Configuration on the ACS

  1. Create a user in ACS. Navigate to Users and Identity Stores > Create User. This example uses the test user Peteradmin.



  2. TACACS+ admin users need a shell profile that allows them a privilege level of 15 so that they can enter enable mode. In order to configure the shell profile, navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.





  3. Create a Service Selection Rule under Access Policies > Access Services to match TACACS:



  4. Navigate to Device Admin priv15 > Allowed Protocols > Select Authentication Protocols, and configure the Allowed Protocols. This example uses PAP/ASCII.



  5. Navigate to Access Policies > Access Services > Device Admin priv15 > Identity, and configure the Identity Source for Internal Users.



  6. Configure the Authorization Policy under Access Policies > Access Services > Device Admin priv15 > Authorization.

Verify

Use this section in order to confirm that your configuration works properly.

Test Telnet Access

These debugs are used in order to verify authentication and authorization caching for TACACS+:

  • debug tacacs events
  • debug aaa cache group

Telnet to the router with the TACACS user and TACACS enable password:

username: peteradmin
password: peteradmin

R102>en
password: cpeter
R102#

R102#debug tacacs events
R102#debug aaa cache group
R102#
11:35:47.151: TPLUS: Queuing AAA Authentication request 16 for processing
11:35:47.159: TPLUS: processing authentication start request id 16
11:35:47.163: TPLUS: Authentication start packet created for 16()
11:35:47.167: TPLUS: Using server 192.168.159.41
11:35:47.187: TPLUS(00000010)/0/NB_WAIT/69540BEC: Started 4 sec timeout
11:35:47.223: TPLUS(00000010)/0/NB_WAIT: wrote entire 37 bytes request
11:35:47.227: TPLUS: Would block while reading pak header
11:35:47.251: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16
bytes)
11:35:47.255: TPLUS(00000010)/0/READ: read entire 28 bytes response
11:35:47.255: TPLUS(00000010)/0/69540BEC: Processing the reply packet
11:35:47.259: TPLUS: Received authen response status GET_USER (7)
11:35:47.263: AAA/AUTHEN/CACHE: No username in response
11:35:56.703: TPLUS: Queuing AAA Authentication request 16 for processing
11:35:56.711: TPLUS: processing authentication continue request id 1611:35:56.715:
TPLUS: Authentication continue packet generated for 16
11:35:56.719: TPLUS(00000010)/0/WRITE/69540BEC: Started 4 sec timeout
11:35:56.727: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request
11:35:56.751: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 16
bytes)
11:35:56.751: TPLUS(00000010)/0/READ: read entire 28 bytes response
11:35:56.755: TPLUS(00000010)/0/69540BEC: Processing the reply packet
11:35:56.759: TPLUS: Received authen response status GET_PASSWORD (8)
11:35:56.763: AAA/AUTHEN/CACHE: Request status = 8, cannot add to cache
11:36:02.943: TPLUS: Queuing AAA Authentication request 16 for processing
11:36:02.955: TPLUS: processing authentication continue request id 16
11:36:02.959: TPLUS: Authentication continue packet generated for 16
11:36:02.963: TPLUS(00000010)/0/WRITE/69540BEC: Started 4 sec timeout
11:36:02.967: TPLUS(00000010)/0/WRITE: wrote entire 27 bytes request
11:36:03.971: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6
bytes)
11:36:03.975: TPLUS(00000010)/0/READ: read entire 18 bytes response
11:36:03.975: TPLUS(00000010)/0/69540BEC: Processing the reply packet
11:36:03.979: TPLUS: Received authen response status PASS (2)
11:36:03.983: AAA/AUTHEN/CACHE: SG profile admin
11:36:03.987: AAA/AUTHEN/CACHE: SG block for admin found
11:36:03.987: AAA/AUTHEN/CACHE: matching profile found for peteradmin in admin
11:36:03.991: AAA/AUTHEN/CACHE: Dealing with authen_type = 1
11:36:03.995: TPLUS: Error occurs in reading packet header, shutdown the single
connection
11:36:04.047: TPLUS: Queuing AAA Authorization request 16 for processing
11:36:04.055: TPLUS: processing authorization request id 16
11:36:04.059: TPLUS: Protocol set to None .....Skipping
11:36:04.063: TPLUS: Sending AV service=shell
11:36:04.067: TPLUS: Sending AV cmd*
11:36:04.067: TPLUS: Authorization request created for 16(peteradmin)
11:36:04.071: TPLUS: using previously set server 192.168.159.41 from group
admin-tac
11:36:04.091: TPLUS(00000010)/0/NB_WAIT/689C0FDC: Started 4 sec timeout
11:36:04.127: TPLUS(00000010)/0/NB_WAIT: wrote entire 66 bytes request
11:36:04.131: TPLUS: Would block while reading pak header
11:36:05.319: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 6
bytes)
11:36:05.323: TPLUS(00000010)/0/READ: read entire 18 bytes response
11:36:05.327: TPLUS(00000010)/0/689C0FDC: Processing the reply packet
11:36:05.327: TPLUS: received authorization response for 16: PASS
11:36:05.335: AAA/AUTHEN/CACHE: SG profile admin
11:36:05.335: AAA/AUTHEN/CACHE: SG block for admin found
11:36:05.339: AAA/AUTHEN/CACHE: matching profile found for peteradmin in admin
11:36:05.339: AAA/AUTHOR/CACHE(00000010): Existing entry no set for authorization
11:36:05.347: TPLUS: Error occurs in reading packet header, shutdown the single
connection
11:36:05.419: TPLUS: Queuing AAA Accounting request 16 for processing
11:36:05.431: TPLUS: processing accounting request id 16
11:36:05.439: TPLUS: Sending AV task_id=6
11:36:05.439: TPLUS: Sending AV timezone=UTC
11:36:05.443: TPLUS: Sending AV service=shell
11:36:05.443: TPLUS: Accounting request created for 16(peteradmin)
11:36:05.447: TPLUS: using previously set server 192.168.159.41 from group
admin-tac
11:36:05.471: TPLUS(00000010)/0/NB_WAIT/689C0FDC: Started 4 sec timeout
11:36:05.523: TPLUS(00000010)/0/NB_WAIT: wrote entire 85 bytes request
11:36:05.523: TPLUS: Would block while reading pak header
11:36:05.587: TPLUS(00000010)/0/READ: read entire 12 header bytes (expect 5
bytes)
11:36:05.591: TPLUS(00000010)/0/READ: read entire 17 bytes response
11:36:05.591: TPLUS(00000010)/0/689C0FDC: Processing the reply packet
11:36:05.595: TPLUS: Received accounting response with status PASS
11:36:05.603: TPLUS: Error occurs in reading packet header, shutdown the single
connection
R102#

Check the Cache

Enter these commands in order to review and clear the cache information:

  • show aaa cache group [cache group name] all
  • clear aaa cache group [cache group name] all
R102#show aaa cache group admin-tac all
----------------------------------------------------------
Entries in Profile dB admin-tac for exact match
----------------------------------------------------------
Profile: peteradmin
Updated: 00:00:42
Parse User: N
Authen User: Y
Query Count: 2
6731AF7C 0 00000009 username(422) 10 peteradmin, service shell, protocol none
6731AF8C 0 0000000A cmd(73) 0 , service shell, protocol none
----------------------------------------------------------
Entries in Profile dB admin-tac for regexp match
----------------------------------------------------------
No entries found for regexp match

Simulate an ACS Failure

Disconnect the ACS server from the network in order to simulate a failure and invoke the cache checking.

Telnet to the router with the TACACS user and local enable password (enable password from TACACS cannot be cached):

username: peteradmin
password: peteradmin

R102>en
password:
R102#
11:39:10.723: TPLUS: Queuing AAA Authentication request 17 for processing
11:39:10.735: TPLUS: processing authentication start request id 17
11:39:10.739: TPLUS: Authentication start packet created for 17()
11:39:10.743: TPLUS: Using server 192.168.159.41
11:39:10.759: TPLUS(00000011)/0/NB_WAIT/68A4A820: Started 4 sec timeout
11:39:14.759: TPLUS(00000011)/0/NB_WAIT/68A4A820: timed out
11:39:14.763: TPLUS(00000011)/0/NB_WAIT/68A4A820: timed out, clean up
11:39:14.767: TPLUS(00000011)/0/68A4A820: Processing the reply packet
11:39:14.771: AAA/AUTHEN/CACHE: Don't cache responses with errors
11:39:14.779: AAA/AUTHEN/CACHE(00000011): GET_USER for username NULL
11:39:23.315: AAA/AUTHEN/CACHE(00000011): GET_PASSWORD for username peteradmin
11:39:25.191: AAA/AUTHEN/CACHE(00000011): Found a match
11:39:25.195: AAA/AUTHEN/CACHE(00000011): PASS for username peteradmin
11:39:25.215: TPLUS: Queuing AAA Authorization request 17 for processing
11:39:25.223: TPLUS: processing authorization request id 17
11:39:25.227: TPLUS: Protocol set to None .....Skipping
11:39:25.231: TPLUS: Sending AV service=shell
11:39:25.235: TPLUS: Sending AV cmd*
11:39:25.239: TPLUS: Authorization request created for 17(peteradmin)
11:39:25.239: TPLUS: Using server 192.168.159.41
11:39:25.243: TPLUS(00000011)/0/IDLE/689C3A0C: got immediate connect on new 0
11:39:25.247: TPLUS(00000011)/0/WRITE/689C3A0C: Started 4 sec timeout
11:39:25.251: TPLUS(00000011)/0/WRITE: write to 192.168.159.41 failed with errno
257((ENOTCONN))
11:39:25.255: TPLUS: Protocol set to None .....Skipping
11:39:25.259: TPLUS: Sending AV service=shell
11:39:25.259: TPLUS: Sending AV cmd*
11:39:25.263: TPLUS: Authorization request created for 17(peteradmin)
11:39:25.263: TPLUS(00000011): Start write failed
11:39:29.247: TPLUS(00000011)/0/WRITE/689C3A0C: timed out
11:39:29.251: TPLUS: Protocol set to None .....Skipping
11:39:29.255: TPLUS: Sending AV service=shell
11:39:29.255: TPLUS: Sending AV cmd*
11:39:29.259: TPLUS: Authorization request created for 17(peteradmin)
11:39:29.263: TPLUS(00000011)/0/WRITE/689C3A0C: timed out, clean up
11:39:29.267: TPLUS: Error occured while writing, shutdown the single
connection
11:39:29.267: TPLUS(00000011)/0/689C3A0C: Processing the reply packet
11:39:29.271: AAA/AUTHEN/CACHE: Don't cache responses with errors
11:39:29.331: TPLUS: Queuing AAA Accounting request 17 for processing
11:39:29.343: TPLUS: processing accounting request id 17
11:39:29.351: TPLUS: Sending AV task_id=7
11:39:29.351: TPLUS: Sending AV timezone=UTC
11:39:29.355: TPLUS: Sending AV service=shell
11:39:29.359: TPLUS: Accounting request created for 17(peteradmin)
11:39:29.359: TPLUS: using previously set server 192.168.159.41 from group
admin-tac
11:39:29.379: TPLUS(00000011)/0/NB_WAIT/689C0FDC: Started 4 sec timeout
11:39:33.375: TPLUS(00000011)/0/NB_WAIT/689C0FDC: timed out
11:39:33.379: TPLUS: Choosing next server 192.168.159.41
11:39:33.383: TPLUS(00000011)/689C0FDC: releasing old socket 0
11:39:33.387: TPLUS(00000011)/0/NB_WAIT/689C0FDC: got immediate connect on
new 0
11:39:33.387: TPLUS(00000011)/0/WRITE/689C0FDC: Started 4 sec timeout
11:39:33.391: TPLUS(00000011)/0/WRITE: write to 192.168.159.41 failed with errno
257((ENOTCONN))
11:39:33.399: TPLUS: Sending AV task_id=7
11:39:33.399: TPLUS: Sending AV timezone=UTC
11:39:33.403: TPLUS: Sending AV service=shell
11:39:33.403: TPLUS: Accounting request created for 17(peteradmin)
11:39:33.407: TPLUS(00000011)/0/WRITE/689C0FDC: Write failed, this request
will be cleaned up after timeout
11:39:37.387: TPLUS(00000011)/0/WRITE/689C0FDC: timed out
11:39:37.395: TPLUS: Sending AV task_id=7
11:39:37.395: TPLUS: Sending AV timezone=UTC
11:39:37.399: TPLUS: Sending AV service=shell
11:39:37.403: TPLUS: Accounting request created for 17(peteradmin)
11:39:37.407: TPLUS: Choosing next server 192.168.159.41
11:39:37.407: TPLUS(00000011)/689C0FDC: releasing old socket 0
11:39:37.411: TPLUS(00000011)/0/WRITE/689C0FDC: got immediate connect on
new 0
11:39:37.415: TPLUS(00000011)/0/WRITE/689C0FDC: Started 4 sec timeout
11:39:37.415: TPLUS(00000011)/0/WRITE: write to 192.168.159.41 failed with errno
257((ENOTCONN))
11:39:37.423: TPLUS: Sending AV task_id=7
11:39:37.427: TPLUS: Sending AV timezone=UTC
11:39:37.427: TPLUS: Sending AV service=shell
11:39:37.431: TPLUS: Accounting request created for 17(peteradmin)
11:39:37.431: TPLUS(00000011)/0/WRITE/689C0FDC: Write failed, this request
will be cleaned up after timeout
11:39:41.411: TPLUS(00000011)/0/WRITE/689C0FDC: timed out
11:39:41.419: TPLUS: Sending AV task_id=7
11:39:41.423: TPLUS: Sending AV timezone=UTC
11:39:41.423: TPLUS: Sending AV service=shell
11:39:41.427: TPLUS: Accounting request created for 17(peteradmin)
11:39:41.431: TPLUS(00000011)/0/WRITE/689C0FDC: timed out, clean up
11:39:41.431: TPLUS: Error occured while writing, shutdown the single
connection
11:39:41.435: TPLUS(00000011)/0/689C0FDC: Processing the reply packet

Cached username and password works.

R102#clear aaa cache group admin-tac all
R102#show aaa cache group admin-tac all
----------------------------------------------------------
Entries in Profile dB admin-tac for exact match
----------------------------------------------------------
No entries found in Profile dB

Troubleshoot

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

There is currently no specific troubleshooting information available for this configuration.

Updated: Sep 26, 2013
Document ID: 116505