cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1399
Views
0
Helpful
9
Replies

ssh after ACS server "locked up" and had to be reconfigured no longer works.

Steve Coady
Beginner
Beginner

Hello

 

I have a VPN tunnel between an ASA5520 and a Cisco 891.

I had the 891 configured with the following:

aaa group server tacacs+ VTY
 ip tacacs source-interface Loopback0
!
aaa group server tacacs+ TACACS-ACS
 server 10.8.x.x
 server 10.16.y.x
!
aaa authentication login CONSOLE none
aaa authentication login VTY group tacacs+ local
aaa authorization exec VTY group tacacs+ local
aaa authorization commands 0 VTY group tacacs+
aaa authorization commands 15 VTY group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting commands 15 CONSOLE start-stop group tacacs+

!

ip tacacs source-interface Loopback0

!

tacacs-server host 10.8.x.x key 7 yadayadayadayada
tacacs-server host 10.16.y.x key 7 yadayadayadayada
tacacs-server directed-request

!

line vty 0 4
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh
line vty 5 15
 access-class 1 in
 authorization commands 15 VTY
 authorization exec VTY
 accounting commands 15 VTY
 login authentication VTY
 transport input ssh

 

I no longer can access device remotely. I am sure it has to do with the ACS server, but not sure where to look.

Any help would be  greatly appreciated.

 

 

 

 

sMc
1 Accepted Solution

Accepted Solutions

kcnajaf
Rising star
Rising star

Hi,

When you say u can not access device remotely are you not able to ssh to device or there is no rechablity itself?

Is ssh is the problem then do you get a login prompt? Any error message? Also have you checked ACS failed logs for any messages?

Regards

Najaf

View solution in original post

9 Replies 9

kcnajaf
Rising star
Rising star

Hi,

When you say u can not access device remotely are you not able to ssh to device or there is no rechablity itself?

Is ssh is the problem then do you get a login prompt? Any error message? Also have you checked ACS failed logs for any messages?

Regards

Najaf

Najaf

 

Thank you for the response.

I mean I have no remote management access. Traffic is passing

This is a new site

I get login prompt

My Active director credentials and my local username/pass do not work.

Both worked prior to the ACS problems with bad sectors on HD. The ACS was reconfigured.

This appears to be the only site that is having trouble.

 

 

sMc

Hi,

Do you see any failed authentication logs on ACS?

Where did you manage to get the aaa configuration? Are you using this as a standard template?

Could you try modifying the configuration as below?

 

config terminal

no aaa group server tacacs+ TACACS-ACS

aaa group server tacacs+ VTY

 server 10.8.x.x
 server 10.16.y.x

!

After this verify if tacacs authentication is working fine with below command (hope this command work on your device)

test aaa group tacacs VTY <username> <password> lega

Regards

Najaf

I get the following  message

 

Attempting authentication test to server-group tacacs+ using tacacs+

*Jun 12 18:19:15.245: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type *invalid_group_handle*No authoritative response from any server.

sMc