Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2083
Views
0
Helpful
2
Replies

Not able to login to router using ssh when TACACS server is down

raogva.noc
Level 1
Level 1

‎08-31-2005 11:59 PM - edited ‎03-10-2019 02:17 PM

When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.

kindly see below debug output and config

SSH server end:

Sep 1 13:25:10.161: SSH1: starting SSH control process

Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25

Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25

Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg

Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03

Sep 1 13:25:10.397: SSH: RSA decrypt started

Sep 1 13:25:10.925: SSH: RSA decrypt finished

Sep 1 13:25:10.925: SSH: RSA decrypt started

Sep 1 13:25:11.165: SSH: RSA decrypt finished

Sep 1 13:25:11.197: SSH1: sending encryption confirmation

Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on

Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received

Sep 1 13:25:11.269: SSH1: authentication request for userid rao

Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent

Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received

Sep 1 13:25:17.317: SSH1: authentication successful for rao

Sep 1 13:25:17.413: SSH1: requesting TTY

Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le

ngth 25, width 80

Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received

Sep 1 13:25:17.525: SSH1: starting shell for vty

Sep 1 13:25:25.033: SSH1: Session terminated normally

SSH Client end Log:

% Authorization failed.

[Connection to 10.255.15.2 closed by foreign host]

COnfig:

aaa authentication login default group tacacs+ line local

aaa authentication login NO_AUTH line

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization configuration default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

ip domain-name cbi.co.in

crypto key generate rsa

ip ssh time-out 60

ip ssh authentication-retries 3

line vty 0 4

password xxxx

transport input telnet ssh

Kindly reply your views

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎09-01-2005 08:42 AM

I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:

% Authorization failed.

I see that most of your authorization commands include the parameter if-authenticated. But this command does not:

aaa authorization config-commands

I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.

HTH

Rick

HTH

Rick
0 Helpful

ganganathshanmugalingam
Level 1
Level 1
In response to Richard Burts

‎07-20-2006 07:29 PM

You can't loggin through when there is no authentication method like TACACS, etc.

SSH needs an username. That is the reason.

0 Helpful
Customers Also Viewed These Support Documents