11-02-2010 07:06 AM - edited 03-10-2019 05:32 PM
Hi,
I'm having issue with tacacs server(ACS 4.2), did the following test from the router:
Router1#test aaa group tacacs+ cisco cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
I can ping the ACS server from this router though.
pls advise how do what could be the issue and how do i resolve it..
Thanks...
Solved! Go to Solution.
11-17-2012 10:59 AM
well i also had same issue and the issue points out that
1.your tacacs+ server is not reachable so check the connectivity issues.
2.if you could ping tacacs+ server then one thing to check is the command
"tacacs-server host 10.0.0.1 key cisco" which is to be given on router (client of tacacs+ server)
3.check the key configured on acs for tacacs and that configured in the above command in this case the key is "cisco"
4.this could be silly but i did that mistake to add tacacs+ server in ACS which will actually be doing authentication.authorization and accounting so this is really crucial step to look for because i did not configured this i got that error.
5.finally dont forget to add the client i.e the router to the acs server.and one more thing spell tacacs+ properly because even if you type tacas+ the router accepts it but while doing authentication this error appears,
%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
08-05-2023 07:55 AM
The first thing you have to validate is that you have a ping to the ACS, then validate that the requests reach the ACS, if the requests do not reach the ACS, you should put the following line (ip tacacs source-interface XXX/XXX) and you can test it using the command (test aaa group tacacs+ user password legacy). You should get the following (Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.)
11-02-2010 07:16 AM
Hi,
Check your router config - AAA part. Most probably you mistype TACACS+ server address or something like that...
Cheers, Iron
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-02-2010 07:44 AM
Hi,
Config. looks good to me, I also verified the config of this router with another router (for which tacacs works fine) their config. are same, no difference
11-02-2010 07:56 AM
Hi Gavin,
Could you capture the following debugs while you try to authentication:-
1. debug aaa authentication
2. debug tacacs
Also do you see any hits on the ACS server when you try to authenticate?
Please try this sample config:-
Here is a sample configuration:-
router(config)# enable password XXXXXXX
router(config)# username admin privilege 15 password xxxxx
router(config)# aaa new-model (Enables AAA configuration commands on the router)
router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)
router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)
router(config)# aaa authentication login default group Tacacs+ local
Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.
router(config)# aaa authentication enable default group Tacacs+ enable
Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.
Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)
Router(config)# line vty 04 (Change to line vty line)
Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)
thanks,
Vinay
11-03-2010 02:52 AM
You named your server group tacacs+ ? just do a show run | in aaa and verify.
Ce message a été modifié par: cadetalain
10-07-2012 04:06 PM
Hey man i was having this same problem firstly for my RADIUS server then for TACACS+ server.
i solved it, please go and check in network configuration of your ACS admin page in your AAA Client that what ip have you give for you required client router.
IMAGIN you have a Router R1 and R2 connected via fastetherne/ serial connectivity or via an ISP technology and your ACS server is on your R1.
in your ACS admin page you make an entry for client R1 with the ip address which is given on your R1 interface which connects your ACS server machine to your R1 ((eg:- ACS ip address 10.10.10.10 and gateway 10.10.10.1 and this machine is connected with you f1/0 this shows you have entered ip add 10.10.10.1 on your f1/0 so this port connects your ACS sv to R1.)). this will solve this NO AUTHORITIVE RESPONSE problem on just your R1 now R2 will have the same problem.
R1 is connected via fast/serial port to R2 (R1 11.0.0.1 R2 11.0.0.2). Then in your ACS add entry for R2 with ip address of 11.0.0.2 because this port connects your R2 with R1, or if you are using a GRE tunnel between this R1 and R2 (R1 11.0.0.1 R2 11.0.0.2 and Tunnel R1 to R2 ip as Tunnel R1 port 12.0.0.1 tunnel R2 port 12.0.0.2) then do not enter ip given on your physical port, enter ip address given on you tunnel interface which connects your R1 to R2
means12.0.0.2. I did this little bit on only my ACS server page it solved my problem. hope you are having the same . if yes then tell us if no then also tell us may be some another can help you.
Regards,
Saqib.
11-17-2012 10:59 AM
well i also had same issue and the issue points out that
1.your tacacs+ server is not reachable so check the connectivity issues.
2.if you could ping tacacs+ server then one thing to check is the command
"tacacs-server host 10.0.0.1 key cisco" which is to be given on router (client of tacacs+ server)
3.check the key configured on acs for tacacs and that configured in the above command in this case the key is "cisco"
4.this could be silly but i did that mistake to add tacacs+ server in ACS which will actually be doing authentication.authorization and accounting so this is really crucial step to look for because i did not configured this i got that error.
5.finally dont forget to add the client i.e the router to the acs server.and one more thing spell tacacs+ properly because even if you type tacas+ the router accepts it but while doing authentication this error appears,
%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
08-05-2023 07:55 AM
The first thing you have to validate is that you have a ping to the ACS, then validate that the requests reach the ACS, if the requests do not reach the ACS, you should put the following line (ip tacacs source-interface XXX/XXX) and you can test it using the command (test aaa group tacacs+ user password legacy). You should get the following (Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide