Solutions

Troubleshoot issues with RADIUS or TACACS authentication to Director

Solutions ID:    KB4295
Version:    14.0
Status:    Published
Published date:    02/10/2011
Updated:    02/07/2014
 

Problem Description

You cannot authenticate to Director using RADIUS or TACACS.

Resolution

Perform the following steps to troubleshoot RADIUS or TACACS+ authentication issues.

Fix "Permission denied" error when logging in through SSH terminal

support@10.78.55.35's password:
Permission denied (publickey,password,keyboard-interactive).

This issue could occur due to one of the following reasons.

  • The password you entered is incorrect. Verify the password and try to log in again.
  • The shared secret between the authentication server and your Director appliance are different.*
  • Director's IP address is not configured on the authentication server.*

* See the Additional Resources section for links to instructions on configuring the authentication server.

Look for authentication errors in /var/log messages

You can tail /var/log messages while you attempt to authenticate to display errors in authentication. 

In the SSH terminal, issue the following CLI commands:

director (config) # shell

tail  ./var/log/messages -f 

While the messages screen is running, attempt to authenticate.

 A successful authentication will look like the following:

Feb  9 21:17:01 director sshd: check pass; user unknown
Feb  9 21:17:01 director sshd: authentication failure; (uid=0) -> support for sshd service
Feb  9 21:17:09 director sshd: check pass; user unknown
Feb  9 21:17:09 director cli[2181]: <-cli.notice> support@::ffff:10.150.1.189: CLI launched
Feb  9 21:17:01 director sshd: check pass; user unknown
Feb  9 21:17:01 director sshd: authentication failure; (uid=0) -> support for sshd service
Feb  9 21:17:09 director sshd: check pass; user unknown
Feb  9 21:17:09 director cli[2181]: <-cli.notice> support@::ffff:10.150.1.189: CLI launched
Feb  9 21:17:33 director cli[2181]: <-cli.notice> support@::ffff:10.150.1.189: Processing command: 1297286253669829:en

In the previous example, the user successfully logs in, enters enable mode, and then enters configuration mode.

The following lines are not errors and can be ignored:

Feb 4 13:48:31 director su: PAM unable to dlopen(/dir/usr/lib/pam/pam_radius.so)

Feb 4 13:48:31 director su: PAM [dlerror: /dir/usr/lib/libradius.so: undefined symbol: MD5Init]

Feb 4 13:48:31 director su: PAM adding faulty module: /dir/usr/lib/pam/pam_radius.so

Prevent an "auth reject" on subsequent login attempts

For some RADIUS and TACACS+ servers, you can issue the following commands to prevent an "auth reject" on the second or third login attempt.

director (config)# no ssh server auth allowpassword 

director (config)# no ssh server auth permittemptypassword

Perform a packet capture 

Take a packet capture (PCAP) of the interaction. A successful interaction consists of two packets as shown in the following example (taken using Wireshark's Summary (text) feature):

877 744.929808 10.78.51.105 10.9.31.100 RADIUS Access-Request(1) (id=145, l=71)

335 328.758563 10.9.31.100 10.78.51.105 RADIUS Access-Accept(2) (id=211, l=51)
 
10.78.51.105  is the IP address of the Director appliance and 10.9.31.100 is the IP address of the Cisco ACS server. 
 

Verify your privilege level

You might be able to authenticate, but once logged in find that your access is not as expected. Issue the following CLI command to check your privilege level:

director  # show privilege  

Note: In SGME 5.4.2.5, the Configure Device tab is unavailable but the Add Device tab is available. This is not a privileges issue. To fix the problem, upgrade to 5.5.1.2 or later.


Additional Resources

Refer to the following resources for more information:

  • Set up authentication on Cisco ACS: FAQ2878
  • Determine which RADIUS and TACACS server vendors Director officially supports: FAQ1125
  • Details of a specific solution for the Cisco IAS implimentation of TACACS:  KB4160
  • Set up RADIUS using freeware software:  FAQ337
  • Other CLI commands: KB4178 

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question