Tag Archives: terminal server

Tacacs authentication on Avocent ACS terminal server

Posted on by | Leave a reply

We have a combination of Cisco 2500 terminal server (oldies) and some Avocent ACS terminal servers. All our cisco kit authenticates against a tacacs server (tac_plus) and I want to include the Avocent in the same central user-management infrastructure.

The Avocent manual includes some commands to configure it to authenticate against different back-ends. The tacacs commands and options are all explained, but these commands did not give me a working setup. Below I outline the steps in a small how-to to setup Tacacs authentication on an Avocent terminal server.

  1. Login to the avocent as root
  2. enter the command line interface:

    [root@hostname root]# CLI

    - Thanks for using the CLI -

    This interface allows you to easily modify configurations to customize
    and define the functionality of your unit.

    Some basic and useful keys are:
    up/down arrow - navigates up/down in the command history
    tab (once/twice) - shows the next possible option(s)

    Other hints:
    Put quotes around strings that contain spaces.

    Please refer to the Reference Guide for other special keys and
    additional information on how to use this interface.

    Press TAB to see the list of available options.

    cli>

  3. Configure the ACS to use tacacs for physical ports:

    cli>config physicalports all access authtype TacacsPlusDownlocal

  4. Configure the ACS to use tacacs for authentication to the terminal server itself:

    cli>config security authentication authtype tacasdownlocal

  5. Configure the tacacs parameters:

    cli>config security authentication tacplusauthsvr1 10.x.x.x
    cli>config security authentication tacplussecret T@C@CSk3y

  6. Commit the config:

    cli>config runconfig

  7. Save the config to flash:

    cli>config savetoflashadf

With the setup described above I was not able to succesfully login to the Avocent with a valid tacacs user. The following entries was written in the tacacs log file:

Thu Jul 30 18:29:16 2009 [23176]: pap-login query for 'testuser' ssh from hostname.domain rejected
Thu Jul 30 18:29:16 2009 [23176]: login failure: testuser hostname.domain (10.x.x.x) ssh

The cause of the problem was that the Avocent uses ‘PAP’ authentication and this needs to be configured separately for the tacacs user. See the example below:


user = testuser {
default service = permit
name = "Test User"
login = cleartext "password"
pap = cleartext "password"
service = exec {
priv-lvl = 15
}
}

I encountered a problem  when logging in with a ‘restricted’ rancid user (see article). This user does not have the proper authorization, since this is only setup to backup Cisco configuration. In my setup this is not a problem, but be aware of this issue. The problem can be seen in the tacacs log file:


Thu Jul 30 18:47:12 2009 [1541]: authorization query for 'rancid' ssh from cltsp-ts01.ams-spa rejected