cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1208
Views
5
Helpful
2
Replies

cisco 9910 console error after tacacs+ configuration

I configure the 9910 ASR Router with tacas+ configrations, but after commit command, I got this error :

Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.

After that, I tried to login with console, but the connection is not coming. Below you can see the TACAS+ configs applied in the device:

"tacacs-server host 10.18.106.233 port 49
key 7 ThyTeknik2019
tacacs-server host 10.18.106.233 single-connection

aaa group server tacacs+ ISE_TACACS_GROUP
server 10.154.5.233

 

aaa authentication login ISETACACS+ group ISE_TACACS_GROUP local
aaa authorization exec ISETACACS group ISE_TACACS_GROUP local
aaa authorization commands default group tacacs+

aaa accounting commands default start-stop group tacacs+
aaa accounting update newinfo"

 

Hw can I login to console, please help me to fix this problem

2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee

@mustafabesirogluitu wrote:

I configure the 9910 ASR Router with tacas+ configrations, but after commit command, I got this error :

Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.

After that, I tried to login with console, but the connection is not coming. Below you can see the TACAS+ configs applied in the device:

"tacacs-server host 10.18.106.233 port 49
key 7 ThyTeknik2019
tacacs-server host 10.18.106.233 single-connection

aaa group server tacacs+ ISE_TACACS_GROUP
server 10.154.5.233

 

aaa authentication login ISETACACS+ group ISE_TACACS_GROUP local
aaa authorization exec ISETACACS group ISE_TACACS_GROUP local
aaa authorization commands default group tacacs+

aaa accounting commands default start-stop group tacacs+
aaa accounting update newinfo"

 

Hw can I login to console, please help me to fix this problem


If you have other devices working fine with tacacs i'd recommend you move to the appropriate platform team as well to get best coverage.

Greg Gibbs
Cisco Employee
Cisco Employee

I'm not sure why your 'tacacs-server host' and 'aaa group server' configuration are using different IP addresses.

If you've completely locked yourself out of the console and vty lines, you might try blocking tcp/49 between the ASR and ISE or disabling the Device Admin service on the ISE PSNs (from the Deployment section; if possible in your environment) to see if the ASR will fallback to authentication/authorisation via the local database.

I'm not an ASR expert, but if the above fails, some other options might be:

  1. Reboot the ASR (if the Commit command did not save the AAA config to the startup-config)
  2. Seek assistance from Cisco TAC for recovering console access

AAA configuration can be dangerous if done incorrectly, so you might want to seek assistance from TAC for the correct commands and order-of-operations.

 

Cheers,

Greg