Troubleshoot issues with RADIUS or TACACS authentication to Director

book

Article ID: 167028

calendar_today

Updated On:

Products

Director

Issue/Introduction

You cannot authenticate to Director using RADIUS or TACACS.

Resolution

Perform the following steps to troubleshoot RADIUS or TACACS+ authentication issues.

Fix "Permission denied" error when logging in through SSH terminal

[email protected]'s password:
Permission denied (publickey,password,keyboard-interactive).

This issue could occur due to one of the following reasons.

  • The password you entered is incorrect. Verify the password and try to log in again.
  • The shared secret between the authentication server and your Director appliance are different.*
  • Director's IP address is not configured on the authentication server.*

Look for authentication errors in /var/log messages

You can tail /var/log messages while you attempt to authenticate to display errors in authentication. 

In the SSH terminal, issue the following CLI commands:

director (config) # shell

tail  ./var/log/messages -f 

While the messages screen is running, attempt to authenticate.

 A successful authentication will look like the following:

Feb  9 21:17:01 director sshd: check pass; user unknown
Feb  9 21:17:01 director sshd: authentication failure; (uid=0) -> support for sshd service
Feb  9 21:17:09 director sshd: check pass; user unknown
Feb  9 21:17:09 director cli[2181]: <-cli.notice> [email protected]::ffff:10.150.1.189: CLI launched
Feb  9 21:17:01 director sshd: check pass; user unknown
Feb  9 21:17:01 director sshd: authentication failure; (uid=0) -> support for sshd service
Feb  9 21:17:09 director sshd: check pass; user unknown
Feb  9 21:17:09 director cli[2181]: <-cli.notice> [email protected]::ffff:10.150.1.189: CLI launched
Feb  9 21:17:33 director cli[2181]: <-cli.notice> [email protected]::ffff:10.150.1.189: Processing command: 1297286253669829:en

In the previous example, the user successfully logs in, enters enable mode, and then enters configuration mode.

The following lines are not errors and can be ignored:

Feb 4 13:48:31 director su: PAM unable to dlopen(/dir/usr/lib/pam/pam_radius.so)

Feb 4 13:48:31 director su: PAM [dlerror: /dir/usr/lib/libradius.so: undefined symbol: MD5Init]

Feb 4 13:48:31 director su: PAM adding faulty module: /dir/usr/lib/pam/pam_radius.so

Prevent an "auth reject" on subsequent login attempts

For some RADIUS and TACACS+ servers, you can issue the following commands to prevent an "auth reject" on the second or third login attempt.

director (config)# no ssh server auth allowpassword 

director (config)# no ssh server auth permittemptypassword

Perform a packet capture 

Take a packet capture (PCAP) of the interaction. A successful interaction consists of two packets as shown in the following example (taken using Wireshark's Summary (text) feature):

877 744.929808 10.78.51.105 10.9.31.100 RADIUS Access-Request(1) (id=145, l=71)

335 328.758563 10.9.31.100 10.78.51.105 RADIUS Access-Accept(2) (id=211, l=51)
 
10.78.51.105  is the IP address of the Director appliance and 10.9.31.100 is the IP address of the Cisco ACS server. 
 

Verify your privilege level

You might be able to authenticate, but once logged in find that your access is not as expected. Issue the following CLI command to check your privilege level:

director  # show privilege