AAA/AUTHEN (2520983360): status = ERROR

Unanswered Question
May 23rd, 2012

Hi,

I am getting aaa/authen status = error  messages when I am debugging the aaa authentication.

tacacs is verymuch reachable with no request timeout.

sometimes its authenticating with TACACS.  Many times its authenticating with local.

enable password its always authenticating with local.

I am not finding any failure log in ACS.

AAA server is Cisco Secure ACS 1121 - 5.2 Version

AAA Client is Cisco 2950 Swtich.

Anyone can help?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
spindoctor64@gm... Wed, 05/23/2012 - 07:12

If you can send your 2950 aaa config, it might help, but I'm guessing you need something like the following to make the switch check TACACS (ACS) first, then look local when going into priv exec:

     aaa authentication enable default group tacacs+ local

Just a guess, since I've never seen that error, but if you can show your aaa config it would help eliminate that as a problem.

--Chris

lenins.akm Wed, 05/23/2012 - 07:25

Hi Chris,

Thanks for your reply. This is my switch config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

tacacs-server host 10.1.7.150

tacacs-server key tatasky

line vty 0 4

transport preferred telnet

login authentication default

spindoctor64@gm... Wed, 05/23/2012 - 08:51

Your aaa authentication config looks right to me.  As I'm sure you know, according to your config, if the ACS is available, then your switch should never look locally for authentication.  (If ACS can't find a valid account, it will send back a deny message, and the switch will not allow access, regardless if the user account is present locally)  So I'm kinda stuck there.

Any chance you could 'debug aaa authentication,' login and enable, then paste a (sanitized) log results?  Otherwise, there should be log entries that say something like:

     May 23 15:45:11.888 ZULU: TAC+: (-000000000): received author response status = PASS_ADD

     May 23 15:45:11.999 ZULU: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

The first one indicates successful communication with the ACS, and the second verifies that TELNET logins map to the default method (aaa authentication login default group tacacs+ local)

lenins.akm Wed, 05/23/2012 - 09:31

49w4d: TAC+: send AUTHEN/START packet ver=192 id=2520983360

49w4d: AAA/AUTHEN (2520983360): status = ERROR

49w4d: AAA/AUTHEN/START (2520983360): Method=LOCAL

This the error log when I am debugging.

reachability of AAA server is 10000/10000 ping requests.

AAA client is added already.

Jatin Katyal Wed, 05/23/2012 - 10:55

As per debugs, seems like authentication hitting local database.

did you try from the device

telnet 49

also add this command if not configured already:

ip tacacs source-interface

In case it doesn't work the run

debug aaa authen

debug tacacs

let me know how it goes.

Regards,

Jatin

Actions

Login or Register to take actions

This Discussion

Posted May 23, 2012 at 6:58 AM
Stats:
Replies:5 Avg. Rating:
Views:1431 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard