SRX

Hello,

Have an isse, trying to set up tacacs access on srx220h2 v: 12.1X44-D20.3 i follow general procedure but facing issue with the following error messge whenever i try to log in via tacas:

 %AUTH-5-SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user '

: %DAEMON-5-UI_TACPLUS_ERROR: TACACS+ failure: Could not bind on socket: Can't assign requested address

I am accessing device from zone a but tacacs server is in zone b we are sourcing tacacs server with the ip on the interface of zone b, but we do not have any policy for intrazones? Do we need one? 

How tacacs is query for user, is it using the interface that request is coming or it is using interface that tacacs is on?

Need urgent help, thank you.....

LG

HI,

you need to create a policy that allows traffic from zone A to zone B to allow access to the tacacs server. (Is the server is in zone B).

Why not sourcing the tacacs request from the zone were the tacacs server is in (zone b) 

Tacacs can source from an interface (ip ) you can configure. see an example below

10.11.11.2 {
    secret "TOPSECRETHIDDENSECURITYKEY"; ## SECRET-DATA
    timeout 5;
    single-connection;
    source-address 10.11.12.4;
}

That what i have i am sourcing my tacacs with the interface it is working, below is my snipped with sanitized configuration:

authentication-order [ tacplus password ];
root-authentication {
encrypted-password "$1$Wmasdfsak$oB78zC4.XpHi09hepuIL9."; ## SECRET-DATA
}
name-server {
200.200.200.20;
100.100.100.20;
}
tacplus-server {
192.168.1.1 {
port 49;
secret "$9$LvB7b2aZUDjkfTlMasdsadasGDk.P5Qz3"; ## SECRET-DATA
}
}
tacplus-options {
no-cmd-attribute-value;
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus {
server {
192.168.1.1  {
port 49;
secret "$9$1ITErvLxN-dw4afdsafyrWLx7-wYgoJZU"; ## SECRET-DATA
source-address 10.10.10.1;
}
}
}
}
}

user ADMIN {
uid 2003;
class super-user;
}

Route to the tacacs server:

show route 192.168.1.1

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 27w0d 17:29:47
> to 10.10.100.2 via ge-0/0/3.0

vrfa.inet.0: 95 destinations, 97 routes (95 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.1 *[Static/5] 20w6d 11:34:05
> to 10.10.10.2 via ge-0/0/2.0

set routing-instances vrfarouting-options static route 192.168.1.0/24 next-hop 10.10.10.2

Also each time i try to connect to usig tacacs, i am getting following syslog message on console:

Message from syslogd@FWA at Apr 16 21:37:09.700 2015 ...
FWA sshd[44946]: tac_send_authen: connect: timed out

in the log message:

Apr 16 21:27:47.396 2015 FWA mgd[44936]: %DAEMON-5-UI_TACPLUS_ERROR: TACACS+ failure: Could not bind on socket: Can't assign requested address
Apr 16 21:37:09.700 2015 FWA sshd[44946]: %AUTH-2: tac_send_authen: connect: timed out
Apr 16 21:37:09.719 2015 FWA sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'user1' from host '172.1.1.2'
Apr 16 21:37:09.721 2015 FWA sshd[44946]: %AUTH-6: Failed password for user1 from 172.1.1.2 port 34554 ssh2
Apr 16 21:37:13.906 2015 FWA sshd[44946]: %AUTH-2: tac_send_authen: connect: timed out
Apr 16 21:37:13.912 2015 FWA sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'user1' from host '172.1.1.2'
Apr 16 21:37:13.917 2015 FWA sshd[44946]: %AUTH-6: Failed password for user1 from 172.1.1.2 port 34554 ssh2
Apr 16 21:37:23.188 2015 FWA sshd[44946]: %AUTH-2: tac_send_authen: connect: timed out
Apr 16 21:37:23.192 2015 FWA sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'user1' from host '172.1.1.2'
Apr 16 21:37:23.197 2015 FWA sshd[44946]: %AUTH-6: Failed password for user1 from 172.1.1.2 port 34554 ssh2
Apr 16 21:37:38.514 2015 FWA sshd: %AUTH-5-SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user 'user1'
Apr 16 21:37:38.520 2015 FWA sshd[44946]: %AUTH-6: Disconnecting: Too many password failures for user1 [preauth]
Apr 16 21:37:38.537 2015 FWA inetd[1349]: %DAEMON-4: /usr/sbin/sshd[44946]: exited, status 255

The rout to the ip that i am coming from to switch 

show route 172.1.1.2

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 27w0d 17:38:44
> to 10.10.100.2 via ge-0/0/3.0

vrfa.inet.0: 95 destinations, 97 routes (95 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.1.1.1/30 *[Static/5] 2w6d 09:58:38
> to 10.10.200.2 via ge-0/0/0.0
[OSPF/150] 2w4d 00:09:20, metric 0, tag 0
> to 10.10.200.2 via ge-0/0/0.0

gargolek

I am not sure, if its a policy issue. Can you ping Tacacs server from SRX?

i can ping only from the interface that tacacs also is residing on:

show route 192.168.1.1
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 27w0d 17:44:56
> to 10.10.100.2 via ge-0/0/3.0
vrfa.inet.0: 95 destinations, 97 routes (95 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Static/5] 20w6d 11:49:14
> to 10.10.10.2 via ge-0/0/2.0
ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
ping 192.168.1.1 source 10.10.10.1 routing-instance vrfa
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=59 time=21.479 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=59 time=21.403 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=59 time=19.847 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=59 time=19.432 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.432/20.540/21.479/0.913 ms

Thanks,