AAA Misconfig

Unanswered Question
Mar 10th, 2009

Hello All

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

was the lines that I had to enter but I missed the second line.Router asks me an user name and password but it does not accept my user name and password (console telnet and enable passswords also locally defined and being tried not working)

Any idea how to get into the router?

(Besides restarting, remotely)



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Tue, 03/10/2009 - 07:31

Did you configure a tacacs server? If not, it should roll over to the line password on the vty. Although, you should have went under your vty line and added "login authentication default" for it to check your AAA lines. (It may just have a password on the line.)

If you configured your tacacs server and the server is responding, it won't rollover to the next authentication method. You'll need to configure your login information on the tacacs server. I don't use tacacs, but if it's anything like radius, you'll have to tell the tacacs server the client address (the router address), and you'll need your username and password listed in tacacs, or have tacacs authenticate to something else: ldap, AD, etc.

I would just reload and start from scratch; it may be the easiest thing to do.



Giuseppe Larosa Tue, 03/10/2009 - 08:08

Hello Ersin,

when testing AAA the following suggestions:

never save the config before end of test

have a primary session that you never close

test by opening a new telnet session to the same device

I would use a named AAA method :

default method is applied automatically to line vty


aaa authentication login AAAlogin group tacacs+ line

so then you can add only to line vty

line vty 0 4

login authentication AAAlogin

in this way you don't lose the console

you need to break ip connectivity with the tacacs server if possible without losing ip connectivity to the device I was able to recover in some cases using this method (a /32 static route to null0 for the ip addres of the router on the next device to tacacs server to block return traffic from tacacs)


you can contact the tacacs+ server administrator and apply for a valid account (username and password) that you need to test the solution after all

Hope to help



This Discussion