Can’t authenticate Cisco to HP iMC Tacacs

I love TACACS+.  I know there are those of you who prefer RADIUS, but there are a few reasons why I love Tacacs

  1. It’s tried and true.  Stable
  2. It’s TCP not UDP (c’mon, you knew I’d use this…)
  3. It’s easiest to configure Group -> Command mapping

So, when HP iMC 5.1 came out with TAM (Tacacs Authentication Module), I just HAD to try it out!  So, I grabbed a lab switch, downloaded the trial version of TAM, and started hacking away.  It wasn’t long before I was stuck.  No matter what I did, I just couldn’t authenticate to iMC.  

 

  • I checked the host firewall.  TCP49 should be open.
  • I made sure the device is listed in the “Device List” of iMC TAM Manager.
  • I made sure tam.exe is binding to the right IP Address, using “netstat -ban”.
  • I made sure I have created a device user, and that device user is assigned the right device user group, and that group has the permitting authorization profile.

I checked my firewall, used Wireshark, even threw in some AAA / Tacacs debug commands.  Still, nothing.

I still can’t login.  In order to troubleshoot more, I needed to dig a little deeper.  Going to the log file for TAM (C:\Program Files\iMC\tam\log) I found the following entry:

% 2012-12-03 14:55:08 ; [WARNING (2)] ; [3872] ; TAM ; $SYS$ ; (NULL) ; (NULL) ; (NULL) ; Invalid Source IP or port number(from 192.168.1.253:49).

HP iMC apparently does not include ALL IP addresses of a device when matching. More than likely, iMC uses the numerically lowest IP Address as it’s primary address to identify and collect on. This is the IP Address that it is expecting to see. No other address is valid. So, even though my device in iMC has the address of (VLAN 10: 10.10.10.1), TAM is denying it, because it is coming from the IP of 192.168.1.253 (which is on VLAN 1).

How to fix it?  Manually tell Cisco to use the iMC defined IP Address:

ip tacacs source-interface vlan 10

Now, why is the Cisco using that IP Address in the first place? Well, in my lab, the iMC is on the same subnet as VLAN 1. So, logically, the Cisco will send out the packet from the closest interface.  

Share This Page : Share on TwitterShare on FacebookShare on GooglePlusShare on PinterestShare on Linkedin