AAA error message

Unanswered Question
Feb 22nd, 2008

Hi,

Whenever I use the command "aaa authentication enable default group tacacs+ enable" on my switch & I try to put the enable password I get the error "% Error in authentication.".

Any clue..?

Rgds.,

Sack

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Fri, 02/22/2008 - 05:04

Yes. Your device is using the aaa authentication mechanism that you just configured on the device, as its supposed to do.

You probably logged in with the local username and/or password log-on credentials that have always existed prior to aaa deployment, and then you proceeded to configure TACACS authentication. Now, the device is rightly using the directives for verifying identity (authentication) that are set out in the aaa configuration -- and your log on credentials dont match, of course.

Typically, you should first configure your ACS server and then configure each node. When configuring each node, enter all the aaa commands and enablae passwords, etc, but WAIT to enter the tacacs key for last. This way you will no tlock yourself out of the device.

HTH

Victor

Richard Burts Fri, 02/22/2008 - 07:50

The suggestions made by Victor are certainly valid and might address the issue described by Sack. But I wonder if it is not really a different issue. I am thinking about this statement in the original post:

I try to put the enable password

I have the impression that Sack is attempting to get into enable mode by entering the enable password. But he has now configured so that AAA will authenticate enable by TACACS. In that case he needs to enter his own TACACS password rather than the enable password. (and this presumes that the userID has been defined in TACACS to have enable privileges) Perhaps Sack can clarify which issue he is facing?

HTH

Rick

lamav Fri, 02/22/2008 - 09:26

hey Rick:

You said exactly what I was suggesting...lol..

You said: "But he has now configured so that AAA will authenticate enable by TACACS. In that case he needs to enter his own TACACS password rather than the enable password. "

I said: "Yes. Your device is using the aaa authentication mechanism that you just configured on the device, as its supposed to do...Now, the device is rightly using the directives for verifying identity (authentication) that are set out in the aaa configuration -- and your log on credentials dont match, of course."

:-)

Victor

Actions

This Discussion