Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
2
Replies

AAA backup enable mode and Debugging does not work

msara
Level 1
Level 1

‎05-30-2004 06:44 PM - edited ‎03-10-2019 07:50 AM

HI guys, i have Cisco ACS 3.0 running and i have confiiguration like below

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

enable secret xxxxx

The problem i have is 2.

1) If i stop tacacs+ service, but normal it should switch to local router enable secret password mode, so i get password prompted when i telnet, but when i key in, it says authentication failed and immediately disconnect without even giving few more retries.

2) when i enable all debugging for AAA, none of them appears even when im connected to console and terminal monitoring is always enabled. the AAA authentication and authorization works, but im suprised why debug aaa not working.

Labels:
0 Helpful
2 Replies 2

msara
Level 1
Level 1

‎05-31-2004 06:17 AM

This is what i use, i add enable at the end but the enable password that i set locally on the router does not work.

SunwayCCNA(config)#aaa authentication login default group tacacs+ ?

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.

none NO authentication.

SunwayCCNA(config)#aaa authentication login default group tacacs+

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎05-31-2004 09:42 AM

I think that trying to use the enable secret as password for login to user mode is not good practice. I suggest that you instead use the configuration of aaa authentication login default group tacacs+ line. This will attempt to authenticate with the configured tacacs server and if there is not response from the server it will use the console password or vty password - depending on where you are attempting to login.

If you post the results of the command show tacacs it might help understand what is going on.

I am not sure why the debugging messages are not showing up, but the most common explanation is that the way the severity levels have been set up for logging may prevent the debugging messages from displaying. If you can post the first screen of output from the show log command it might help to determine how these are set.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents