cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2590
Views
0
Helpful
5
Replies
Beginner

AAA/AUTHEN (2520983360): status = ERROR

Hi,

I am getting aaa/authen status = error  messages when I am debugging the aaa authentication.

tacacs is verymuch reachable with no request timeout.

sometimes its authenticating with TACACS.  Many times its authenticating with local.

enable password its always authenticating with local.

I am not finding any failure log in ACS.

AAA server is Cisco Secure ACS 1121 - 5.2 Version

AAA Client is Cisco 2950 Swtich.

Anyone can help?

5 REPLIES 5
Beginner

Re: AAA/AUTHEN (2520983360): status = ERROR

If you can send your 2950 aaa config, it might help, but I'm guessing you need something like the following to make the switch check TACACS (ACS) first, then look local when going into priv exec:

     aaa authentication enable default group tacacs+ local

Just a guess, since I've never seen that error, but if you can show your aaa config it would help eliminate that as a problem.

--Chris

Beginner

Re: AAA/AUTHEN (2520983360): status = ERROR

Hi Chris,

Thanks for your reply. This is my switch config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 10.1.7.150

tacacs-server key tatasky

line vty 0 4

transport preferred telnet

login authentication default

Highlighted
Beginner

AAA/AUTHEN (2520983360): status = ERROR

Your aaa authentication config looks right to me.  As I'm sure you know, according to your config, if the ACS is available, then your switch should never look locally for authentication.  (If ACS can't find a valid account, it will send back a deny message, and the switch will not allow access, regardless if the user account is present locally)  So I'm kinda stuck there.

Any chance you could 'debug aaa authentication,' login and enable, then paste a (sanitized) log results?  Otherwise, there should be log entries that say something like:

     May 23 15:45:11.888 ZULU: TAC+: (-000000000): received author response status = PASS_ADD

     May 23 15:45:11.999 ZULU: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

The first one indicates successful communication with the ACS, and the second verifies that TELNET logins map to the default method (aaa authentication login default group tacacs+ local)

Beginner

Re: AAA/AUTHEN (2520983360): status = ERROR

49w4d: TAC+: send AUTHEN/START packet ver=192 id=2520983360

49w4d: AAA/AUTHEN (2520983360): status = ERROR

49w4d: AAA/AUTHEN/START (2520983360): Method=LOCAL

This the error log when I am debugging.

reachability of AAA server is 10000/10000 ping requests.

AAA client is added already.

Cisco Employee

Re: AAA/AUTHEN (2520983360): status = ERROR

As per debugs, seems like authentication hitting local database.

did you try from the device

telnet 49

also add this command if not configured already:

ip tacacs source-interface

In case it doesn't work the run

debug aaa authen

debug tacacs

let me know how it goes.

Regards,

Jatin

~Jatin Katyal