Device not able to log into AAA server

Unanswered Question
Sep 15th, 2010

I hava router with AAA commands that is not able to log into the AAA server. The router is configured in the AAA server, but fails back to local credintals

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Sharma Wed, 09/22/2010 - 06:01

Hi Russnash,

As per the logs i can see that the authorization is successful and it is pusing the AV pair for priv 15.

.Sep 15 14:06:58 CDT: AAA/AUTHOR/EXEC(00000022): processing AV cmd=
.Sep 15 14:06:58 CDT: AAA/AUTHOR/EXEC(00000022): processing AV priv-lvl=15
.Sep 15 14:06:58 CDT: AAA/AUTHOR/EXEC(00000022): Authorization successful
.Sep 15 14:07:14 CDT: AAA/ACCT/19(00000022): Pick method list 'default'

.Sep 15 14:05:44 CDT: AAA/AUTHOR/EXEC(00000021): Authorization successful

From the debugs we have Tacacs protocol configured for authentication. since we don't have full debugs, please configure this sample configuration andtest the authentication;-

Here is a sample configuration:-

router(config)# enable password XXXXXXX
router(config)# username admin privilege 15 password xxxxx
router(config)# aaa new-model (Enables AAA configuration commands on the router)
router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)
router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)
router(config)# aaa authentication login default group Tacacs+ local

Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.

router(config)# aaa authentication enable default group Tacacs+ enable

Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.

Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)

Router(config)# line vty 04 (Change to line vty line)
Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)

thanks,

Vinay

Actions

This Discussion