12-04-2011 11:23 AM - edited 03-10-2019 06:36 PM
Guys,
I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
Config
**********************************
aaa new-model
!
username admin privilege 15 secret 5 xxxxxxxxxx.
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization reverse-access default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
!
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 0006140E54xxxxxxxxxx
!
ip tacacs source-interface Vlan200
***************************
Debugs
002344: Dec 5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
core01#
002347: Dec 5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
002348: Dec 5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
Enter configuration commands, one per line. End with CNTL/Z.
core01(config)#
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
core01(config)#
Solved! Go to Solution.
12-05-2011 02:20 PM
Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore
12-05-2011 01:49 PM
These debugs would seem to be generated by a user who is already logged in and has entered the command conf t. What we need to see are debug output of when a user is attempting to login to the router/switch.
It would also be helpful if you would post the output of show tacacs
HTH
Rick
12-05-2011 02:20 PM
Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore
12-11-2011 12:56 AM
It was as TACACS issue as replication was not working. Thanks for your replies
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide