Troubleshooting tips for the CISCO TACACS solution on the Bluecoat Director appliance?

Solutions ID:    KB4160
Version:    5.0
Status:    Published
Published date:    11/10/2010
Updated:    02/07/2014

Problem Description

While I can use TACACS to authenticate to the Director console, through SSH, I cannot through the web user interface.

I cannot login to Director using a TACACS server from Cisco running version 4.2.



NOTE: To troubleshoot this issue, you'll need to login to the Command line interface ( CLI), via SSH. We recomend you use putty to login to Director.  Putty can be downloaded here.

 Troubleshooting steps:

1: Setup the var/log/messages file to send live updates to your putty SSH session.

  • director # config t
  • director #  shell
  • director #  tail -f /var/log/messages

2: Attempt to login , and trigger the symptom via the web UI, of being unable to login.

  • Here you can watch for any errors on the screen.

TIP: Between the client and Director, you are using the HTTP protocol, but between Director and the TACACS server you are using TCP and UDP.

3: Showing the Director, TACACS configuration:

  • Open another Putty session to the CLI.
  •  director > en 
  • director # config t
  • Show config
  • Press the space bar until you see the words TACACS.

TIP typing "TACACS-server ?" you will be shown  how you can change the TACACS configuration  on Director.

Solution: In one case we noticed  that the Cisco TACACS server was using RSA tokens for password protection.  RSA tokens  change the password every 60s seconds, and are incompatible with the authentication style of  Director . This resulted in us being able to login to the Command line interface via SSH,  but we were refused authentication via the web interface. Once we changed this to the Windows Domain Authentication the symptoms disapeared.

NOTE1: Terminal Access Controller Access-Control System (TACACS), is a remoted authentication protocol, based on TCP/UDP,  used to authentcate users to UNIX systems. For more information see this wiki link TACACS.

NOTE2:  For a complete set of steps to set up this solution with the CISCO TACACS server, see FAQ2879.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question