09-26-2013 12:44 PM - edited 03-10-2019 08:56 PM
Telnet has been working forever on our 6500 switches and today it stopped. We use tacacs. Here's the message we receive when trying to login
% Authorization failed.
here's the tacacs config and aaa
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common
tacacs-server host 192.168.100.253
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 ..................................
other switches are still authentication properly using the same tacacs.
What could have happened to it. We received a lot of messages saying it could not reach 192.168.100.254 from the the management Vlan but TACACS server is actually 254. Can you help please. Tried to create a local username but that didn't work either for a temporarily fix.
Thanks.
Solved! Go to Solution.
09-27-2013 12:59 PM
Check ACS > reports and activities > failed attempts.
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 12:52 PM
Please help me with:
show run | begin line vty
debug tacacs
debug aaa authen
debug aaa author
do you see any hits on the ACS under reports and activities?
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 01:30 PM
Thanks for you help what option do I select under reports and acitivity. I will get you the debug info in a second.
09-26-2013 01:58 PM
line vty 0 4
exec-timeout 60 0
password 7 ......................
line vty 5 15
exec-timeout 60 0
password 7 ..........................
!
.Sep 26 16:54:33.538 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
.Sep 26 16:54:33.538 EDT: TPLUS: processing accounting request id 5531
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV task_id=7744
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV timezone=EDT
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV start_time=1380228873
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV priv-lvl=15
.Sep 26 16:54:33.538 EDT: TPLUS: Sending AV cmd=debug aaa authentication
.Sep 26 16:54:33.538 EDT: TPLUS: Accounting request created for 5531(ssaab)
.Sep 26 16:54:33.538 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 143 bytes request
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:33.542 EDT: TPLUS(0000159B)/0/READ: Would block while reading
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
.Sep 26 16:54:33.546 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet
.Sep 26 16:54:33.546 EDT: TPLUS: Received accounting response with status PASS
.Sep 26 16:54:42.450 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
.Sep 26 16:54:42.450 EDT: TPLUS: processing accounting request id 5531
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV task_id=7745
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV timezone=EDT
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV start_time=1380228882
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV priv-lvl=15
.Sep 26 16:54:42.450 EDT: TPLUS: Sending AV cmd=debug aaa authorization
.Sep 26 16:54:42.450 EDT: TPLUS: Accounting request created for 5531(ssaab)
.Sep 26 16:54:42.450 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT/52AC5CD4: Started 10 sec timeout
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 142 bytes request
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:42.454 EDT: TPLUS(0000159B)/0/READ: Would block while reading
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
.Sep 26 16:54:42.458 EDT: TPLUS(0000159B)/0/52AC5CD4: Processing the reply packet
.Sep 26 16:54:42.458 EDT: TPLUS: Received accounting response with status PASS
.Sep 26 16:55:02.830 EDT: AAA/BIND(0000159F): Bind i/f
.Sep 26 16:55:02.830 EDT: AAA/AUTHEN/LOGIN (0000159F): Pick method list 'default'
.Sep 26 16:55:02.830 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing
.Sep 26 16:55:02.834 EDT: TPLUS: processing authentication start request id 5535
.Sep 26 16:55:02.834 EDT: TPLUS: Authentication start packet created for 5535(ssaab)
.Sep 26 16:55:02.834 EDT: TPLUS: Using server 192.168.100.253
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT/528154D8: Started 10 sec timeout
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 42 bytes request
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:02.834 EDT: TPLUS(0000159F)/0/READ: Would block while reading
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 16 bytes data)
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/READ: read entire 28 bytes response
.Sep 26 16:55:02.838 EDT: TPLUS(0000159F)/0/528154D8: Processing the reply packet
.Sep 26 16:55:02.838 EDT: TPLUS: Received authen response status GET_PASSWORD (8)
.Sep 26 16:55:06.407 EDT: TPLUS: Queuing AAA Authentication request 5535 for processing
.Sep 26 16:55:06.407 EDT: TPLUS: processing authentication continue request id 5535
.Sep 26 16:55:06.407 EDT: TPLUS: Authentication continue packet generated for 5535
.Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE/52A57824: Started 10 sec timeout
.Sep 26 16:55:06.407 EDT: TPLUS(0000159F)/0/WRITE: wrote entire 25 bytes request
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response
.Sep 26 16:55:06.419 EDT: TPLUS(0000159F)/0/52A57824: Processing the reply packet
.Sep 26 16:55:06.419 EDT: TPLUS: Received authen response status PASS (2)
.Sep 26 16:55:06.427 EDT: AAA/AUTHOR (0x159F): Pick method list 'default'
.Sep 26 16:55:06.427 EDT: TPLUS: Queuing AAA Authorization request 5535 for processing
.Sep 26 16:55:06.427 EDT: TPLUS: processing authorization request id 5535
.Sep 26 16:55:06.427 EDT: TPLUS: Protocol set to None .....Skipping
.Sep 26 16:55:06.427 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:55:06.427 EDT: TPLUS: Sending AV cmd*
.Sep 26 16:55:06.427 EDT: TPLUS: Authorization request created for 5535(ssaab)
.Sep 26 16:55:06.427 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:55:06.427 EDT: TPLUS(0000159F)/0/NB_WAIT/47A1ECA0: Started 10 sec timeout
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: socket event 2
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/NB_WAIT: wrote entire 61 bytes request
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.431 EDT: TPLUS(0000159F)/0/READ: Would block while reading
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 12 header bytes (expect 6 bytes data)
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: socket event 1
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/READ: read entire 18 bytes response
.Sep 26 16:55:06.435 EDT: TPLUS(0000159F)/0/47A1ECA0: Processing the reply packet
.Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL
.Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED
.Sep 26 16:55:14.751 EDT: TPLUS: Queuing AAA Accounting request 5531 for processing
.Sep 26 16:55:14.755 EDT: TPLUS: processing accounting request id 5531
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV task_id=7746
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV timezone=EDT
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV service=shell
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV start_time=1380228914
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV priv-lvl=15
.Sep 26 16:55:14.755 EDT: TPLUS: Sending AV cmd=show logging
.Sep 26 16:55:14.755 EDT: TPLUS: Accounting request created for 5531(ssaab)
.Sep 26 16:55:14.755 EDT: TPLUS: using previously set server 192.168.100.253 from group tacacs+
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT/52A4402C: Started 10 sec timeout
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: socket event 2
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/NB_WAIT: wrote entire 131 bytes request
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:55:14.755 EDT: TPLUS(0000159B)/0/READ: Would block while reading
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 12 header bytes (expect 5 bytes data)
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: socket event 1
.Sep 26 16:55:14.759 EDT: TPLUS(0000159B)/0/READ: read entire 17 bytes response
09-26-2013 02:49 PM
so this is what we are getting but I also see you're not using exec-authorization
.Sep 26 16:55:06.435 EDT: TPLUS: received authorization response for 5535: FAIL
.Sep 26 16:55:06.435 EDT: AAA/AUTHOR/EXEC(0000159F): Authorization FAILED
can you paste show run | in single-connect
~BR
Jatin Katyal
**Do rate helpful posts**
09-27-2013 06:13 AM
Nothing comes up when I do show run | in single-connect. Now this was working before. I don't know why it stopped
09-27-2013 06:23 AM
this is the correct config from the 6509
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
09-27-2013 10:23 AM
Last time you pasted the below listed config without the command in bold.
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
On the Tacacs server please make sure you have privilege level set is 15 for that user. What code of ACS server are you using?
~BR
Jatin Katyal
**Do rate helpful posts**
09-27-2013 11:08 AM
Yes I appologize i was in the wrong switch. We are running ACS 3.3. Users are inheriting group settings and it's set to level 15.
09-27-2013 12:59 PM
Check ACS > reports and activities > failed attempts.
~BR
Jatin Katyal
**Do rate helpful posts**
09-27-2013 02:25 PM
09/26/2013,16:26:04,Author failed,ssaab,Net Enable,192.168.78.82,,Service denied,service=shell cmd*,tty1,192.168.100.2
09/26/2013,13:07:33,Author failed,ssaab,Net Enable,192.168.78.82,,Service denied,service=shell cmd*,tty1,192.168.100.4
09-30-2013 06:02 AM
Anymore thoughts on this Jatin?
09-30-2013 07:52 AM
Never mind It worked by itself now.
09-30-2013 08:06 AM
Started working on its own...:)
Thanks for closing the discussion.
~BR
Jatin Katyal
**Do rate helpful posts**
09-30-2013 10:28 AM
Yes it's crazy. I don't know why did this happen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: