Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


AAA/AUTHEN (2520983360): status = ERROR


I am getting aaa/authen status = error  messages when I am debugging the aaa authentication.

tacacs is verymuch reachable with no request timeout.

sometimes its authenticating with TACACS.  Many times its authenticating with local.

enable password its always authenticating with local.

I am not finding any failure log in ACS.

AAA server is Cisco Secure ACS 1121 - 5.2 Version

AAA Client is Cisco 2950 Swtich.

Anyone can help?


If you can send your 2950 aaa config, it might help, but I'm guessing you need something like the following to make the switch check TACACS (ACS) first, then look local when going into priv exec:

     aaa authentication enable default group tacacs+ local

Just a guess, since I've never seen that error, but if you can show your aaa config it would help eliminate that as a problem.


Hi Chris,

Thanks for your reply. This is my switch config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host

tacacs-server key tatasky

line vty 0 4

transport preferred telnet

login authentication default

Your aaa authentication config looks right to me.  As I'm sure you know, according to your config, if the ACS is available, then your switch should never look locally for authentication.  (If ACS can't find a valid account, it will send back a deny message, and the switch will not allow access, regardless if the user account is present locally)  So I'm kinda stuck there.

Any chance you could 'debug aaa authentication,' login and enable, then paste a (sanitized) log results?  Otherwise, there should be log entries that say something like:

     May 23 15:45:11.888 ZULU: TAC+: (-000000000): received author response status = PASS_ADD

     May 23 15:45:11.999 ZULU: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

The first one indicates successful communication with the ACS, and the second verifies that TELNET logins map to the default method (aaa authentication login default group tacacs+ local)

49w4d: TAC+: send AUTHEN/START packet ver=192 id=2520983360

49w4d: AAA/AUTHEN (2520983360): status = ERROR

49w4d: AAA/AUTHEN/START (2520983360): Method=LOCAL

This the error log when I am debugging.

reachability of AAA server is 10000/10000 ping requests.

AAA client is added already.

As per debugs, seems like authentication hitting local database.

did you try from the device

telnet 49

also add this command if not configured already:

ip tacacs source-interface

In case it doesn't work the run

debug aaa authen

debug tacacs

let me know how it goes.



Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube