topic Re: AAA problem in Network Access Control

AAA problem

Amira Saad — Mon, 11 Mar 2019 03:27:09 GMT

I have aaa server can be used to authenticate my router and switches but suddenly when i tried to login to some of my routers using ACS Accounts i got this message "% 1 is not an open connection" but when i remove the authentication using the ACS , i can login locally smothly without any problem

AAA problem

Subeh Sharma — Tue, 21 May 2013 17:00:21 GMT

Hi Amira,

can you paste the activity you perform when you get this message. Also, when you get this message does the authentication is successful or not?

Regards,

Subeh

AAA problem

Jatin Katyal — Wed, 22 May 2013 00:17:44 GMT

From the problem description, it seems you are facing this issue only when we have AAA configured.

When you attempt to connect and receive an error message "% 1 is not an open connection". Do you also see any corresponding hits on ACS as well?

Can you turn on the debugs when you have this problem and send it over for my analysis.

(Guess you are using tacacs in case not then use radius)

debug tacacs

debug aaa authen

debug aaa autho

from the router/switch, please provide;

show users

show line

In case we need to delete any session on the line.

clear tcp line vty

Do provide show run and show version from the device.

Jatin Katyal

- Do rate helpful posts -

Re: AAA problem

Amira Saad — Wed, 22 May 2013 06:16:19 GMT

HI Subeh

I just try to type the username and pass of my ACS account and this error messgae appear when i type the username and pass and it can not log me in to the router although i tried by my ACS account using the console and i can log in to the router

Re: AAA problem

Amira Saad — Wed, 22 May 2013 06:52:30 GMT

Hi Jatin

Yes i found hits in my ACS administration log

and when i type WHO , i found only my line VTY which i make debug from it through it and attached my debug when authenticate using AAA account

Re: AAA problem

Jatin Katyal — Wed, 22 May 2013 08:28:13 GMT

Why we are looking at tacacs administration logs? We need to check tacacs authentication logs i.e failed attempts in case we have ACS 4.x or tacacs authentication in case we have acs 5.x

From debugs I can see authentication and authorization successful.

TPLUS: Received authen response status PASS (2)

AAA/AUTHOR/EXEC(00000043): Authorization successful

I requested show run in my last post. can you please attach the same if not then please provide the below listed outputs:

show run | in aaa

show run | in tacacs

show run | beg line

Jatin Katyal

- Do rate helpful posts -

Re: AAA problem

Amira Saad — Wed, 22 May 2013 08:39:39 GMT

yes i saw that the authentication is done good but my status was after cuting of power to all my data center and i was able to use my aaa account before this incident smoothly , attached the requested show

Re: AAA problem

Jatin Katyal — Wed, 22 May 2013 09:22:30 GMT

The configuration looks fine. I see the vty lines are configured for line password and privilege but aaa commands shows you have local method in place.

did you try to clear the tcp session?

can you run turn on the debugs ( we don't need debug aaa accounting)

debug tacacs

debug aaa authentication

debug aaa authorization

run the below listed command with tacacs username and password.

test aaa group tacacs+ leg

Jatin Katyal

- Do rate helpful posts -

Re: AAA problem

Amira Saad — Wed, 22 May 2013 09:58:50 GMT

when i tried to clear TCP line vty , i got the following :

*May 22 10:12:19.463: AAA/AUTHOR: auth_need : user= 'blombank' ruser= 'HQ_VocieGW1'rem_addr= '10.30.28.1' priv= 15 list= '' AUTHOR-TYPE= 'command'

*May 22 10:12:19.463: TPLUS: Queuing AAA Accounting request 50 for processing

*May 22 10:12:19.463: TPLUS: processing accounting request id 50

*May 22 10:12:19.463: TPLUS: Sending AV task_id=297

*May 22 10:12:19.467: TPLUS: Sending AV timezone=UTC

*May 22 10:12:19.467: TPLUS: Sending AV service=shell

*May 22 10:12:19.467: TPLUS: Sending AV priv-lvl=15

*May 22 10:12:19.467: TPLUS: Sending AV cmd=clear tcp line vty 0

*May 22 10:12:19.467: TPLUS: Accounting request created for 50(blombank)

*May 22 10:12:19.467: TPLUS: using previously set server 10.7.11.112 from group tacacs+

*May 22 10:12:19.467: TPLUS(00000032)/0/NB_WAIT/78472D48: Started 5 sec timeout

*May 22 10:12:19.467: TPLUS(00000032)/0/NB_WAIT: socket event 2

*May 22 10:12:19.467: TPLUS(00000032)/0/NB_WAIT: wrote entire 126 bytes request

*May 22 10:12:19.467: TPLUS(00000032)/0/READ: socket event 1

*May 22 10:12:19.467: TPLUS(00000032)/0/READ: Would block while reading

*May 22 10:12:19.551: TPLUS(00000032)/0/READ: socket event 1

*May 22 10:12:19.551: TPLUS(00000032)/0/READ: read entire 12 header bytes (expect 5 bytes data)

*May 22 10:12:19.551: TPLUS(00000032)/0/READ: socket event 1

[confirm]

*May 22 10:12:19.551: TPLUS(00000032)/0/READ: read entire 17 bytes response

*May 22 10:12:19.551: TPLUS(00000032)/0/78472D48: Processing the reply packet

*May 22 10:12:19.551: TPLUS: Received accounting response with status PASS

[confirm]

%Clear TCP failed: line 706 doesn't exist or doesn't have TCP

and attached the debug output

AAA problem

Jatin Katyal — Wed, 22 May 2013 10:15:33 GMT

the attached debugs were not captured correctly. I don't see the authentication and authorization debugs for a test.

What did you see on the router, when you ran the test command?

Jatin Katyal

- Do rate helpful posts -

Re: AAA problem

Amira Saad — Wed, 22 May 2013 10:24:28 GMT

the test command can not be applied on router

NOTE : some of other router which authenticate using ACS account is working but others not

kindly find attached

Re: AAA problem

Jatin Katyal — Wed, 22 May 2013 10:33:12 GMT

Could you please check ACS user/group setup and see if there is some auto-command configured?

Jatin Katyal

- Do rate helpful posts -

Re: AAA problem

Amira Saad — Wed, 22 May 2013 10:50:41 GMT

kindly note some other routers , i can login using ACS account

Re: AAA problem

Amira Saad — Wed, 22 May 2013 12:38:04 GMT

thank you jatin

thank you very much

really when i removed the auto command check box all is ok now with me

Re: AAA problem

Jatin Katyal — Wed, 22 May 2013 12:42:18 GMT

Hi Amira,

Yes, I see this coming in your tacacs authorization Response and I am not sure why we are pushing this value in autocmd. Also mark this thread resolved so that other's can take benefit out of it, in case they are facing the same issue.

have a blessed day.

Jatin Katyal

- Do rate helpful posts -