Najaf

Thank you for the response.

I mean I have no remote management access. Traffic is passing

This is a new site

I get login prompt

My Active director credentials and my local username/pass do not work.

Both worked prior to the ACS problems with bad sectors on HD. The ACS was reconfigured.

This appears to be the only site that is having trouble.

Hi,

Do you see any failed authentication logs on ACS?

Where did you manage to get the aaa configuration? Are you using this as a standard template?

Could you try modifying the configuration as below?

config terminal

no aaa group server tacacs+ TACACS-ACS

aaa group server tacacs+ VTY

 server 10.8.x.x
 server 10.16.y.x

!

After this verify if tacacs authentication is working fine with below command (hope this command work on your device)

test aaa group tacacs VTY <username> <password> lega

Regards

Najaf

I get the following  message

Attempting authentication test to server-group tacacs+ using tacacs+

*Jun 12 18:19:15.245: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type *invalid_group_handle*No authoritative response from any server.

Hi,

This is configuration issue.

Have you added the loop back interface ip of router on to AAA server as a AAA client?

Are the shared key same on both router and aaa?

If both the above are fine the remove the entire aaa configuration and apply them frsh as below.

no aaa new mode

enable password ***********
username admin privilege 15 password *********
aaa new-model 
aaa group server tacacs+ VTY
 server 10.8.x.x
 server 10.16.y.x
aaa authentication login VTY group tacacs+ local
aaa authentication enable VTY group Tacacs+ enable

tacacs-server host 10.8.x.x key 7 xxxxx (xxxxx should be the same key used in ACS)
tacacs-server host 10.16.y.x key 7 xxxxx (xxxxx should be the same key used in ACS)
line vty 0 4
login authentication VTY

Hope that helps

Regards

Najaf

Najaf

What about these other commands on the line?

line vty 0 4
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh
line vty 5 15
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh

Hi,

I wanted you to try minimum configurations first. Even with out other configuration things should work..

Have you checked at AAA server end to confirm your router IP address is added there and shared key are matching?

Regards

Najaf

I wiped it out and reconfigured as you requested. Still no access.

I get the following messages when I config line vty 0 4

Cisco891(config-line)# authorization commands 15 VTY
AAA: Warning authorization list "VTY" is not defined for CMD priv

Cisco891(config-line)# authorization exec VTY
AAA: Warning authorization list "VTY" is not defined for EXEC

Cisco891(config-line)# accounting commands 15 VTY
AAA: Warning accounting list "VTY" is not defined for CMD priv 15

Cisco891(config-line)# login authentication VTY
AAA: Warning authentication list "VTY" is not defined for LOGIN.

Cisco891(config-line)#^Z
Cisco 891#
*Jun 12 20:46:00.793: %SYS-5-CONFIG_I: Configured from console by console

What am I doing wrong?!?!?!?!?