Troubleshooting tips for the CISCO TACACS solution on the Bluecoat Director appliance?

Solution

Overview

While I can use TACACS to authenticate to the Director console, through SSH, I cannot through the web user interface.

I cannot login to Director using a TACACS server from Cisco running version 4.2.

 

Cause
Resolution

NOTE: To troubleshoot this issue, you'll need to login to the Command line interface ( CLI), via SSH. We recomend you use putty to login to Director.  Putty can be downloaded here.

 Troubleshooting steps:

1: Setup the var/log/messages file to send live updates to your putty SSH session.

  • director # config t
  • director #  shell
  • director #  tail -f /var/log/messages

2: Attempt to login , and trigger the symptom via the web UI, of being unable to login.

  • Here you can watch for any errors on the screen.

TIP: Between the client and Director, you are using the HTTP protocol, but between Director and the TACACS server you are using TCP and UDP.

3: Showing the Director, TACACS configuration:

  • Open another Putty session to the CLI.
  •  director > en 
  • director # config t
  • Show config
  • Press the space bar until you see the words TACACS.

TIP typing "TACACS-server ?" you will be shown  how you can change the TACACS configuration  on Director.

Solution: In one case we noticed  that the Cisco TACACS server was using RSA tokens for password protection.  RSA tokens  change the password every 60s seconds, and are incompatible with the authentication style of  Director . This resulted in us being able to login to the Command line interface via SSH,  but we were refused authentication via the web interface. Once we changed this to the Windows Domain Authentication the symptoms disapeared.

NOTE1: Terminal Access Controller Access-Control System (TACACS), is a remoted authentication protocol, based on TCP/UDP,  used to authentcate users to UNIX systems. For more information see this wiki link TACACS.

NOTE2:  For a complete set of steps to set up this solution with the CISCO TACACS server, see 000013371.

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4160
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat