Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9470
Views
0
Helpful
3
Replies

AAA authentication not working and 'default' method list

Go to solution
a.pawar
Level 1
Level 1

‎12-04-2011 11:23 AM - edited ‎03-10-2019 06:36 PM

Guys,

I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated

Config

**********************************

aaa new-model

!

username admin privilege 15 secret 5 xxxxxxxxxx.

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization reverse-access default group tacacs+ local

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

aaa session-id common

!

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 0006140E54xxxxxxxxxx

!

ip tacacs source-interface Vlan200

***************************

Debugs

002344: Dec  5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f

002345: Dec  5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'

002346: Dec  5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'

core01#

002347: Dec  5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1

002348: Dec  5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

002349: Dec  5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

002350: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD

002351: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'

002352: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell

002353: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure

002354: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal

002355: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>

002356: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"

002357: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)

002358: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin

002359: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell

002360: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure

002361: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal

002362: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>

Enter configuration commands, one per line.  End with CNTL/Z.

core01(config)#

002363: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR

002364: Dec  5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL

002365: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD

002366: Dec  5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15

core01(config)#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kishore Chennupati
Level 7
Level 7

‎12-05-2011 02:20 PM

Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.

As rick suggested sh tacacs would be good as well. That would show failures and successes

HTH

Kishore

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-05-2011 01:49 PM

These debugs would seem to be generated by a user who is already logged in and has entered the command conf t. What we need to see are debug output of when a user is attempting to login to the router/switch.

It would also be helpful if you would post the output of show tacacs

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Kishore Chennupati
Level 7
Level 7

‎12-05-2011 02:20 PM

Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.

As rick suggested sh tacacs would be good as well. That would show failures and successes

HTH

Kishore

0 Helpful

Go to solution
a.pawar
Level 1
Level 1
In response to Kishore Chennupati

‎12-11-2011 12:56 AM

It was as TACACS issue as replication was not working. Thanks for your replies

0 Helpful
Customers Also Viewed These Support Documents