I am integrating CA PAM with TACACS+ server, All configuration shows correct as TACACS+ events shows that authentication from CA PAM user is successful, but on other hand CA-PAM shows server not available and login fails.
Anybody faced such issues ? any pointers ?
If it is an AD account which is mapped with TACAS for authentication and authorization, I think you can do it.
1) Define application with application type as Cisco
2) In Accounts, Define a account and select the application as created in step1, Under Account type select TACAS+,
Select Connect As : This account
Access Privilage As : This account.
This works for me, Let me know if this helps for you as well..
Thanks a lot for your response.. but currently what i am trying to achieve is to authenticate PAM user with TACACS+ during their login time.
do let me know if you have such scenarios or can assist on the same.
Thanks again mate for all the assistance
What version of PAM you are testing this on?
I do see the same behavior on PAM 2.5
Wed May 11 23:34:45 2016 : authorization query for 'jonathanm' Virtual00 from 10.130.73.92 accepted
Details—User jonathanm cannot be authorized. Make sure the server is available. TACACS+
Message 18002: Bad User ID (jonathanm) or Password.
I am using PAM 2.5 and its the same error i am facing..
I will keep you posted if there is any progress on the same and likewise if you hit any door please share the same.
I would suggest a couple of things
1. Log in to the cisco router and run a show run to make sure the tacacs+ server is selected
2. Login to the tacacs+ acs server user interface to look into the user you are trying to manage and see its properties
3. Retry the login procedure but outside CA PAM. What PAM is doing when managing a tacacs+ account is basically hitting an Enter whenever it receives the prompt from the CISCO router, and that triggers a Change your password prompt. See if when you do this manually for that user, by ssh'ing to the cisco router, you are able to hit enter and change the password. If you get an error there, don't go further: if you can't do it directly from outside pam pam won't be able to do it either
4. If 3 works, then if you have a local user to tacacs+ (one which is not ad integrated) try that one. if that one works, then the problem will be with the communication with AD
5. If 3 or 4 are unclear or still do not work, repeat the procedure and ge the catalina log. That one will tell you exactly what PAM is doing
Ultimately, if you can't sort it out, please open a case with CA Support. We will be happy to assist :-)
Did you resolve your problem? I use CA PAM version 2.6 and I saw the same issue like you
Hi Moiz. TACACS is like LDAP and Radius in that you have to add a group to CA PAM. Did you create a TACACS group in CA PAM, after adding TACACS on the 3rd party page?