Troubleshoot issues with RADIUS or TACACS authentication to Director


<< Back to Knowledge Search

Solution

Overview

You cannot authenticate to Director using RADIUS or TACACS.

Cause
Resolution

Perform the following steps to troubleshoot RADIUS or TACACS+ authentication issues.

Fix "Permission denied" error when logging in through SSH terminal

support@10.78.55.35's password:
Permission denied (publickey,password,keyboard-interactive).

This issue could occur due to one of the following reasons.

  • The password you entered is incorrect. Verify the password and try to log in again.
  • The shared secret between the authentication server and your Director appliance are different.*
  • Director's IP address is not configured on the authentication server.*

Look for authentication errors in /var/log messages

You can tail /var/log messages while you attempt to authenticate to display errors in authentication. 

In the SSH terminal, issue the following CLI commands:

director (config) # shell

tail  ./var/log/messages -f 

While the messages screen is running, attempt to authenticate.

 A successful authentication will look like the following:

Feb  9 21:17:01 director sshd: check pass; user unknown
Feb  9 21:17:01 director sshd: authentication failure; (uid=0) -> support for sshd service
Feb  9 21:17:09 director sshd: check pass; user unknown
Feb  9 21:17:09 director cli[2181]: <-cli.notice> support@::ffff:10.150.1.189: CLI launched
Feb  9 21:17:01 director sshd: check pass; user unknown
Feb  9 21:17:01 director sshd: authentication failure; (uid=0) -> support for sshd service
Feb  9 21:17:09 director sshd: check pass; user unknown
Feb  9 21:17:09 director cli[2181]: <-cli.notice> support@::ffff:10.150.1.189: CLI launched
Feb  9 21:17:33 director cli[2181]: <-cli.notice> support@::ffff:10.150.1.189: Processing command: 1297286253669829:en

In the previous example, the user successfully logs in, enters enable mode, and then enters configuration mode.

The following lines are not errors and can be ignored:

Feb 4 13:48:31 director su: PAM unable to dlopen(/dir/usr/lib/pam/pam_radius.so)

Feb 4 13:48:31 director su: PAM [dlerror: /dir/usr/lib/libradius.so: undefined symbol: MD5Init]

Feb 4 13:48:31 director su: PAM adding faulty module: /dir/usr/lib/pam/pam_radius.so

Prevent an "auth reject" on subsequent login attempts

For some RADIUS and TACACS+ servers, you can issue the following commands to prevent an "auth reject" on the second or third login attempt.

director (config)# no ssh server auth allowpassword 

director (config)# no ssh server auth permittemptypassword

Perform a packet capture 

Take a packet capture (PCAP) of the interaction. A successful interaction consists of two packets as shown in the following example (taken using Wireshark's Summary (text) feature):

877 744.929808 10.78.51.105 10.9.31.100 RADIUS Access-Request(1) (id=145, l=71)

335 328.758563 10.9.31.100 10.78.51.105 RADIUS Access-Accept(2) (id=211, l=51)
 
10.78.51.105  is the IP address of the Director appliance and 10.9.31.100 is the IP address of the Cisco ACS server. 
 

Verify your privilege level

You might be able to authenticate, but once logged in find that your access is not as expected. Issue the following CLI command to check your privilege level:

director  # show privilege  

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4295
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      08/17/2016
Last Published      08/17/2016
Article Audience
Product      Director-510
Topic      Configuration / WUI / CLI, Director Jobs
Article Number      000014177
Summary      This article provides instructions for troubleshooting issues with RADIUS and TACACS authentication to the Director
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat