AAA/AUTHEN (2520983360): status = ERROR

lenins.akm · ‎05-23-2012

Hi,

I am getting aaa/authen status = error messages when I am debugging the aaa authentication.

tacacs is verymuch reachable with no request timeout.

sometimes its authenticating with TACACS. Many times its authenticating with local.

enable password its always authenticating with local.

I am not finding any failure log in ACS.

AAA server is Cisco Secure ACS 1121 - 5.2 Version

AAA Client is Cisco 2950 Swtich.

Anyone can help?

spindoctor64 · ‎05-23-2012

If you can send your 2950 aaa config, it might help, but I'm guessing you need something like the following to make the switch check TACACS (ACS) first, then look local when going into priv exec:

aaa authentication enable default group tacacs+ local

Just a guess, since I've never seen that error, but if you can show your aaa config it would help eliminate that as a problem.

--Chris

lenins.akm · ‎05-23-2012

Hi Chris,

Thanks for your reply. This is my switch config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 10.1.7.150

tacacs-server key tatasky

line vty 0 4

transport preferred telnet

login authentication default

spindoctor64 · ‎05-23-2012

Your aaa authentication config looks right to me. As I'm sure you know, according to your config, if the ACS is available, then your switch should never look locally for authentication. (If ACS can't find a valid account, it will send back a deny message, and the switch will not allow access, regardless if the user account is present locally) So I'm kinda stuck there.

Any chance you could 'debug aaa authentication,' login and enable, then paste a (sanitized) log results? Otherwise, there should be log entries that say something like:

May 23 15:45:11.888 ZULU: TAC+: (-000000000): received author response status = PASS_ADD

May 23 15:45:11.999 ZULU: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

The first one indicates successful communication with the ACS, and the second verifies that TELNET logins map to the default method (aaa authentication login default group tacacs+ local)

lenins.akm · ‎05-23-2012

49w4d: TAC+: send AUTHEN/START packet ver=192 id=2520983360

49w4d: AAA/AUTHEN (2520983360): status = ERROR

49w4d: AAA/AUTHEN/START (2520983360): Method=LOCAL

This the error log when I am debugging.

reachability of AAA server is 10000/10000 ping requests.

AAA client is added already.

Jatin Katyal · ‎05-23-2012

As per debugs, seems like authentication hitting local database.

did you try from the device

telnet 49

also add this command if not configured already:

ip tacacs source-interface

In case it doesn't work the run

debug aaa authen

debug tacacs

let me know how it goes.

Regards,

Jatin

~Jatin

AAA/AUTHEN (2520983360): status = ERROR

ISE Webinars

CiscoISE on YouTube