cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23965
Views
5
Helpful
7
Replies

AAA issue - No authoritative response from any server.

gavin han
Level 1
Level 1

Hi,

I'm having issue with tacacs server(ACS 4.2), did the following test from the router:

Router1#test aaa group tacacs+ cisco cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

I can ping the ACS server from this router though.

pls advise how do what could be the issue and how do i resolve it..

Thanks...

2 Accepted Solutions

Accepted Solutions

manoj k jadhav
Level 1
Level 1

well i also had same issue and the issue points out that

1.your tacacs+ server is not reachable so check the connectivity issues.

2.if you could ping tacacs+ server then one thing to check is the command

"tacacs-server host 10.0.0.1 key cisco" which is to be given on router (client of tacacs+ server)

3.check the key configured on acs for tacacs and that configured in the above command in this case the key is "cisco"

4.this could be silly but i did that mistake to add tacacs+ server in ACS which will actually be doing authentication.authorization and accounting so this is really crucial step to look for because i did not configured this i got that error.

5.finally dont forget to add the client i.e the router to the acs server.and one more thing spell tacacs+ properly because even if you type tacas+ the router accepts it but while doing authentication this error appears,

%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*

View solution in original post

The first thing you have to validate is that you have a ping to the ACS, then validate that the requests reach the ACS, if the requests do not reach the ACS, you should put the following line (ip tacacs source-interface XXX/XXX) and you can test it using the command (test aaa group tacacs+ user password legacy). You should get the following (Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.)

View solution in original post

7 Replies 7

iilyinas
Level 3
Level 3

Hi,

Check your router config - AAA part. Most probably you mistype TACACS+ server address or something like that...

Cheers, Iron

--

If  this helps you and/or answers your question please mark the question  as "answered" and/or rate it, so other users can easily find it.

Hi,

Config. looks good to me, I also verified the config of this router with another router (for which tacacs works fine) their config. are same, no difference

Hi Gavin,

Could you capture the following debugs while you try to authentication:-

1. debug aaa authentication

2. debug tacacs

Also do you see any hits on the ACS server when you try to authenticate?

Please try this sample config:-

Here is a sample configuration:-

router(config)# enable password XXXXXXX

router(config)# username admin privilege 15 password xxxxx

router(config)# aaa new-model (Enables AAA configuration commands on the router)

router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)

router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)

router(config)# aaa authentication login default group Tacacs+ local

Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.

router(config)# aaa authentication enable default group Tacacs+ enable

Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.

Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)

Router(config)# line vty 04 (Change to line vty line)

Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)

thanks,

Vinay

Thanks & Regards

  You named your server group  tacacs+ ? just do a show run | in aaa  and verify.

Ce message a été modifié par: cadetalain

Don't forget to rate helpful posts.

saqib zafar
Level 1
Level 1

Hey man i was having this same problem firstly for my RADIUS server then for TACACS+ server.

i solved it, please go and check in network configuration of your ACS admin page in your AAA Client that what ip have you give for you required client router.

IMAGIN you have a Router R1 and R2 connected via fastetherne/ serial connectivity or via an ISP technology and your ACS server is on your R1.

in your ACS admin page you make an entry for client R1 with the ip address which is given on your R1 interface which connects your ACS server machine to your R1 ((eg:- ACS ip address 10.10.10.10 and gateway 10.10.10.1 and this machine is connected with you f1/0 this shows you have entered ip add 10.10.10.1 on your f1/0 so this port connects your ACS sv to R1.)). this will solve this NO AUTHORITIVE RESPONSE problem on just your R1 now R2 will have the same problem.

R1 is connected via fast/serial port to R2 (R1 11.0.0.1   R2 11.0.0.2). Then in your ACS add entry for R2 with ip address of 11.0.0.2 because this port connects your R2 with R1, or if you are using a GRE tunnel between this R1 and R2 (R1 11.0.0.1   R2 11.0.0.2 and     Tunnel R1 to R2 ip as Tunnel R1 port 12.0.0.1   tunnel R2 port 12.0.0.2)  then do not enter ip given on your physical port, enter ip address given on you tunnel interface which connects your R1 to R2

means12.0.0.2. I did this little bit on only my ACS server page it solved my problem. hope you are having the same . if yes then tell us if no then also tell us may be some another can help you.

Regards,

Saqib.

manoj k jadhav
Level 1
Level 1

well i also had same issue and the issue points out that

1.your tacacs+ server is not reachable so check the connectivity issues.

2.if you could ping tacacs+ server then one thing to check is the command

"tacacs-server host 10.0.0.1 key cisco" which is to be given on router (client of tacacs+ server)

3.check the key configured on acs for tacacs and that configured in the above command in this case the key is "cisco"

4.this could be silly but i did that mistake to add tacacs+ server in ACS which will actually be doing authentication.authorization and accounting so this is really crucial step to look for because i did not configured this i got that error.

5.finally dont forget to add the client i.e the router to the acs server.and one more thing spell tacacs+ properly because even if you type tacas+ the router accepts it but while doing authentication this error appears,

%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*

The first thing you have to validate is that you have a ping to the ACS, then validate that the requests reach the ACS, if the requests do not reach the ACS, you should put the following line (ip tacacs source-interface XXX/XXX) and you can test it using the command (test aaa group tacacs+ user password legacy). You should get the following (Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.)