AAA error message

Unanswered Question
Feb 22nd, 2008
User Badges:

Hi,


Whenever I use the command "aaa authentication enable default group tacacs+ enable" on my switch & I try to put the enable password I get the error "% Error in authentication.".


Any clue..?


Rgds.,

Sack

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Fri, 02/22/2008 - 05:04
User Badges:
  • Blue, 1500 points or more

Yes. Your device is using the aaa authentication mechanism that you just configured on the device, as its supposed to do.


You probably logged in with the local username and/or password log-on credentials that have always existed prior to aaa deployment, and then you proceeded to configure TACACS authentication. Now, the device is rightly using the directives for verifying identity (authentication) that are set out in the aaa configuration -- and your log on credentials dont match, of course.


Typically, you should first configure your ACS server and then configure each node. When configuring each node, enter all the aaa commands and enablae passwords, etc, but WAIT to enter the tacacs key for last. This way you will no tlock yourself out of the device.


HTH


Victor

Richard Burts Fri, 02/22/2008 - 07:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The suggestions made by Victor are certainly valid and might address the issue described by Sack. But I wonder if it is not really a different issue. I am thinking about this statement in the original post:

I try to put the enable password

I have the impression that Sack is attempting to get into enable mode by entering the enable password. But he has now configured so that AAA will authenticate enable by TACACS. In that case he needs to enter his own TACACS password rather than the enable password. (and this presumes that the userID has been defined in TACACS to have enable privileges) Perhaps Sack can clarify which issue he is facing?


HTH


Rick

lamav Fri, 02/22/2008 - 09:26
User Badges:
  • Blue, 1500 points or more

hey Rick:


You said exactly what I was suggesting...lol..


You said: "But he has now configured so that AAA will authenticate enable by TACACS. In that case he needs to enter his own TACACS password rather than the enable password. "


I said: "Yes. Your device is using the aaa authentication mechanism that you just configured on the device, as its supposed to do...Now, the device is rightly using the directives for verifying identity (authentication) that are set out in the aaa configuration -- and your log on credentials dont match, of course."


:-)


Victor

Actions

This Discussion