Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4485
Views
0
Helpful
5
Replies

AAA/AUTHEN (2520983360): status = ERROR

lenins.akm
Level 1
Level 1

‎05-23-2012 06:58 AM - edited ‎03-10-2019 07:06 PM

Hi,

I am getting aaa/authen status = error  messages when I am debugging the aaa authentication.

tacacs is verymuch reachable with no request timeout.

sometimes its authenticating with TACACS.  Many times its authenticating with local.

enable password its always authenticating with local.

I am not finding any failure log in ACS.

AAA server is Cisco Secure ACS 1121 - 5.2 Version

AAA Client is Cisco 2950 Swtich.

Anyone can help?

Labels:
0 Helpful
5 Replies 5

spindoctor64
Level 1
Level 1

‎05-23-2012 07:12 AM

If you can send your 2950 aaa config, it might help, but I'm guessing you need something like the following to make the switch check TACACS (ACS) first, then look local when going into priv exec:

     aaa authentication enable default group tacacs+ local

Just a guess, since I've never seen that error, but if you can show your aaa config it would help eliminate that as a problem.

--Chris

0 Helpful

lenins.akm
Level 1
Level 1
In response to spindoctor64

‎05-23-2012 07:25 AM

Hi Chris,

Thanks for your reply. This is my switch config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 10.1.7.150

tacacs-server key tatasky

line vty 0 4

transport preferred telnet

login authentication default

0 Helpful

spindoctor64
Level 1
Level 1
In response to lenins.akm

‎05-23-2012 08:51 AM

Your aaa authentication config looks right to me.  As I'm sure you know, according to your config, if the ACS is available, then your switch should never look locally for authentication.  (If ACS can't find a valid account, it will send back a deny message, and the switch will not allow access, regardless if the user account is present locally)  So I'm kinda stuck there.

Any chance you could 'debug aaa authentication,' login and enable, then paste a (sanitized) log results?  Otherwise, there should be log entries that say something like:

     May 23 15:45:11.888 ZULU: TAC+: (-000000000): received author response status = PASS_ADD

     May 23 15:45:11.999 ZULU: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

The first one indicates successful communication with the ACS, and the second verifies that TELNET logins map to the default method (aaa authentication login default group tacacs+ local)

0 Helpful

lenins.akm
Level 1
Level 1
In response to spindoctor64

‎05-23-2012 09:31 AM

49w4d: TAC+: send AUTHEN/START packet ver=192 id=2520983360

49w4d: AAA/AUTHEN (2520983360): status = ERROR

49w4d: AAA/AUTHEN/START (2520983360): Method=LOCAL

This the error log when I am debugging.

reachability of AAA server is 10000/10000 ping requests.

AAA client is added already.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to lenins.akm

‎05-23-2012 10:55 AM

As per debugs, seems like authentication hitting local database.

did you try from the device

telnet 49

also add this command if not configured already:

ip tacacs source-interface

In case it doesn't work the run

debug aaa authen

debug tacacs

let me know how it goes.

Regards,

Jatin

~Jatin
0 Helpful
Customers Also Viewed These Support Documents