Possible compatibility issue with Cisco IOS 12.1 and/or Catalyst 2950 switches

[JT]

I've been slowly but surely migrating all of the TACACS+ enabled devices in my network off of a Windows Server 2003 box (running Cisco ACS) to a tac_plus server. tac_plus has worked flawlessly for everything, except for a handful of Cisco Catalyst 2950 switches. Yes, I realize the easy option would be to throw the 2950s in the trash and replace them with something newer, but that isn't an option at the moment. Whenever I re-configure tacacs aaa on one of the 2950s to use the tac_plus server, it rejects all login attempts. If I change it back to the old Cisco ACS server, it will start working again.

Here are the switch specifics:

Cisco Catalyst c2950 switch with 24 10/100 BaseTX ports and 2 10/100/1000 BaseT ports
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA13, RELEASE SOFTWARE (fc2)
PID: WS-C2950T-24

The firmware on this specific 2950 is one release behind the final image for the platform (EA14), but the changelog for EA14 did not indicate that any tacacs+ code was changed.

Anyone have any ideas? Every other device (IOS/IOS XE/NX-OS/IOS XR) I've re-configured to use tac_plus works without issue.

[Shin Sterneck]

Hi JT,

can you share the configuration from the 2950's IOS side as well as the configuration for such a host on the tac_plus side?

regards,

Shin 

[James Templet]

Shin,

Thanks for the reply! I've pasted the requested information below and removed sensitive information.

Please let me know if there is anything I can do to help debug this issue.

[tac_plus.cfg]
#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { address = 0.0.0.0 port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
        accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
        authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = [REMOVED]
                setenv LDAP_BASE = [REMOVED]
                setenv LDAP_SCOPE = sub
                setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
                setenv LDAP_USER = [REMOVED]
                setenv LDAP_PASSWD = [REMOVED]
                setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
                setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
                setenv AD_GROUP_PREFIX = "GG_TACACS"
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
                address = 0.0.0.0/0
                key = [REMOVED]
        }

        group = _15 {
                default service = permit

                enable = login

                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        user = orionncm {    
             login = clear [REMOVED]
             enable = login
             member = _15@world
        }
}

[Cisco 2950 tacacs+ / AAA config]

tacacs-server host [REMOVED] key 7 [REMOVED]

tacacs-server directed-request

ip tacacs source-interface Vlan2

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/9rBPGQ14Fak/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-servers+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.