09-26-2013 12:44 PM - edited 03-10-2019 08:56 PM
Telnet has been working forever on our 6500 switches and today it stopped. We use tacacs. Here's the message we receive when trying to login
% Authorization failed.
here's the tacacs config and aaa
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common
tacacs-server host 192.168.100.253
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 ..................................
other switches are still authentication properly using the same tacacs.
What could have happened to it. We received a lot of messages saying it could not reach 192.168.100.254 from the the management Vlan but TACACS server is actually 254. Can you help please. Tried to create a local username but that didn't work either for a temporarily fix.
Thanks.
Solved! Go to Solution.
09-27-2013 12:59 PM
Check ACS > reports and activities > failed attempts.
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 12:52 PM
Please help me with:
show run | begin line vty
debug tacacs
debug aaa authen
debug aaa author
do you see any hits on the ACS under reports and activities?
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 01:30 PM
Thanks for you help what option do I select under reports and acitivity. I will get you the debug info in a second.
09-26-2013 01:58 PM
line vty 0 4
exec-timeout 60 0
password 7 ......................
line vty 5 15
exec-timeout 60 0
password 7 ..........................
!
.Sep 26 16:54:33.538 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
.Sep 26 16:54:33.538 EDT: TPLUS: processing accounting request id 5531
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV task_id=7744
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV timezone=EDT
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV start_time=1380228873
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV priv-lvl=15
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV cmd=debug aaa authentication
.Sep 26 16:54:33.538 EDT: TPLUS: Accounting request created for 5531(ssaab)
.Sep 26 16:54:33.538 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 143 bytes request
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: Would block while reading
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet
.Sep 26 16:54:33.546 EDT: TPLUS: Received accounting response with status PASS
.Sep 26 16:54:42.450 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
.Sep 26 16:54:42.450 EDT: TPLUS: processing accounting request id 5531
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV task_id=7745
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV timezone=EDT
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV start_time=1380228882
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV priv-lvl=15
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV cmd=debug aaa authorization
.Sep 26 16:54:42.450 EDT: TPLUS: Accounting request created for 5531(ssaab)
.Sep 26 16:54:42.450 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 142 bytes request
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: Would block while reading
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet
.Sep 26 16:54:42.458 EDT: TPLUS: Received accounting response with status PASS
.Sep 26 16:55:02.830 EDT: AAA/BIND(0000159F): Bind i/f
.Sep 26 16:55:02.830 EDT: AAA/AUTHEN/LOGIN (0000159F): Pick method list 'default'
.Sep 26 16:55:02.830 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing
.Sep 26 16:55:02.834 EDT: TPLUS: processing authentication start request id 5535
.Sep 26 16:55:02.834 EDT: TPLUS: Authentication start packet created for 5535(ssaab)
.Sep 26 16:55:02.834 EDT: TPLUS: Using server 192.168.100.253
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT/528154D8: Started 10 sec timeout
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 42 bytes request
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: Would block while reading
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 16 bytes data)
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 28 bytes response
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/528154D8: Processing the reply packet
.Sep 26 16:55:02.838 EDT: TPLUS: Received authen response status GET_PASSWORD (8)
.Sep 26 16:55:06.407 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing
.Sep 26 16:55:06.407 EDT: TPLUS: processing authentication continue request id 5535
.Sep 26 16:55:06.407 EDT: TPLUS: Authentication continue packet generated for 5535
.Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE/52A57824: Started 10 sec timeout
.Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE: wrote entire 25 bytes request
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/52A57824: Processing the reply packet
.Sep 26 16:55:06.419 EDT: TPLUS: Received authen response status PASS (2)
.Sep 26 16:55:06.427 EDT: AAA/AUTHOR (0x159F): Pick method list 'default'
.Sep 26 16:55:06.427 EDT: TPLUS: Queuing AAA Authorization request 5535 for processing
.Sep 26 16:55:06.427 EDT: TPLUS: processing authorization request id 5535
.Sep 26 16:55:06.427 EDT: TPLUS: Protocol set to None .....Skipping
.Sep 26 16:55:06.427 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:55:06.427 EDT: TPLUS: Sending AV cmd*
.Sep 26 16:55:06.427 EDT: TPLUS: Authorization request created for 5535(ssaab)
.Sep 26 16:55:06.427 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:55:06.427 EDT: TPLUS(0000159F)/0/NB_WAIT/47A1ECA0: Started 10 sec timeout
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 61 bytes request
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: Would block while reading
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/47A1ECA0: Processing the reply packet
.Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL
.Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED
.Sep 26 16:55:14.751 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
.Sep 26 16:55:14.755 EDT: TPLUS: processing accounting request id 5531
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV task_id=7746
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV timezone=EDT
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV start_time=1380228914
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV priv-lvl=15
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV cmd=show logging
.Sep 26 16:55:14.755 EDT: TPLUS: Accounting request created for 5531(ssaab)
.Sep 26 16:55:14.755 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT/52A4402C: Started 10 sec timeout
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 131 bytes request
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: Would block while reading
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
09-26-2013 02:49 PM
so this is what we are getting but I also see you're not using exec-authorization
.Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL
.Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED
can you paste show run | in single-connect
~BR
Jatin Katyal
**Do rate helpful posts**
09-27-2013 06:13 AM
Nothing comes up when I do show run | in single-connect. Now this was working before. I don't know why it stopped
09-27-2013 06:23 AM
this is the correct config from the 6509
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
09-27-2013 10:23 AM
Last time you pasted the below listed config without the command in bold.
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
On the Tacacs server please make sure you have privilege level set is 15 for that user. What code of ACS server are you using?
~BR
Jatin Katyal
**Do rate helpful posts**
09-27-2013 11:08 AM
Yes I appologize i was in the wrong switch. We are running ACS 3.3. Users are inheriting group settings and it's set to level 15.
09-27-2013 12:59 PM
Check ACS > reports and activities > failed attempts.
~BR
Jatin Katyal
**Do rate helpful posts**
09-27-2013 02:25 PM
09/26/2013,16:26:04,Author failed,ssaab,Net Enable,192.168.78.82,,Service denied,service=shell cmd*,tty1,192.168.100.2
09/26/2013,13:07:33,Author failed,ssaab,Net Enable,192.168.78.82,,Service denied,service=shell cmd*,tty1,192.168.100.4
09-30-2013 06:02 AM
Anymore thoughts on this Jatin?
09-30-2013 07:52 AM
Never mind It worked by itself now.
09-30-2013 08:06 AM
Started working on its own...:)
Thanks for closing the discussion.
~BR
Jatin Katyal
**Do rate helpful posts**
09-30-2013 10:28 AM
Yes it's crazy. I don't know why did this happen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide