Error in authentication

Unanswered Question
Dec 14th, 2008


I have configured more than 40 Cisco routers (2811 & 1841) with the following aaa commands:

aaa new-model



aaa authentication login default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+



ip tacacs source-interface fastethernet 0/0

tacacs-server host x.x.x.x key key123

tacacs-server directed-request




i tried all of them (remote access) and everything works fine.

I surprised that two of them (cisco 2811 & Cisco 1841) i faced an error "error in authentication" when i try to type enable at the user-mode. By the way, i can access them with username & password.

I tried to change the IP address from the ACS server (AAA clients) for these two sites in order to access using enable secret but failed.

I'm using SSH.

Please your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mike_guy29 Sun, 12/14/2008 - 07:59


Where is the authentication for the enable password meant to take place? Locally or using Tacacs? If may be worthwhile adding in the command

"aaa authentication enable default group tacacs+ local" or change it slightly depending where you want it to carry out the authentication.

Hope that helps

a.hajhamad Sun, 12/14/2008 - 12:41


enable secret is locally.

the mentioned command is already added but with enable secret when ACS is not reachable.

Richard Burts Sun, 12/14/2008 - 17:53


Mike suggests that you use this command:

aaa authentication enable default group tacacs+ local

and you respond that:

the mentioned command is already added

The aaa authentication enable is not included in your original post. Either your response to Mike is incorrect or your original post is significantly incomplete. In either case it makes it difficult to understand your issue and to give you good advice. Can you clarify exactly what is in your config and what the problem is?



a.hajhamad Mon, 12/15/2008 - 00:41


i replied to him that the mentioned command already exists but with enable secret not locally.

Just i want to know if anyone experienced this problem and how can we access the device remotely (if exists).

Any way, Thanks

a.hajhamad Mon, 12/15/2008 - 23:05

Solved, the enable secret command is not applied, i don't know how it is removed!



This Discussion