01-30-2020 02:37 AM
I configure the 9910 ASR Router with tacas+ configrations, but after commit command, I got this error :
Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.
After that, I tried to login with console, but the connection is not coming. Below you can see the TACAS+ configs applied in the device:
"tacacs-server host 10.18.106.233 port 49
key 7 ThyTeknik2019
tacacs-server host 10.18.106.233 single-connection
aaa group server tacacs+ ISE_TACACS_GROUP
server 10.154.5.233
aaa authentication login ISETACACS+ group ISE_TACACS_GROUP local
aaa authorization exec ISETACACS group ISE_TACACS_GROUP local
aaa authorization commands default group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa accounting update newinfo"
Hw can I login to console, please help me to fix this problem
01-30-2020 03:19 PM
@mustafabesirogluitu wrote:
I configure the 9910 ASR Router with tacas+ configrations, but after commit command, I got this error :
Command authorization failed - 'AAA API' detected the 'fatal' condition 'No method could process the authorisation request'
% Incomplete command.After that, I tried to login with console, but the connection is not coming. Below you can see the TACAS+ configs applied in the device:
"tacacs-server host 10.18.106.233 port 49
key 7 ThyTeknik2019
tacacs-server host 10.18.106.233 single-connectionaaa group server tacacs+ ISE_TACACS_GROUP
server 10.154.5.233
aaa authentication login ISETACACS+ group ISE_TACACS_GROUP local
aaa authorization exec ISETACACS group ISE_TACACS_GROUP local
aaa authorization commands default group tacacs+aaa accounting commands default start-stop group tacacs+
aaa accounting update newinfo"
Hw can I login to console, please help me to fix this problem
If you have other devices working fine with tacacs i'd recommend you move to the appropriate platform team as well to get best coverage.
01-30-2020 03:55 PM
I'm not sure why your 'tacacs-server host' and 'aaa group server' configuration are using different IP addresses.
If you've completely locked yourself out of the console and vty lines, you might try blocking tcp/49 between the ASR and ISE or disabling the Device Admin service on the ISE PSNs (from the Deployment section; if possible in your environment) to see if the ASR will fallback to authentication/authorisation via the local database.
I'm not an ASR expert, but if the above fails, some other options might be:
AAA configuration can be dangerous if done incorrectly, so you might want to seek assistance from TAC for the correct commands and order-of-operations.
Cheers,
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide