Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA authentication error

Hi,

I am getting an aaa authorization error message. Debug and config applied to router below. I am receiving a getpass successful from the tacacs server and then immediately authorization failure. The config is definitely okay as it works on 100's of other routers.

I have also specified the loopback0 as the tacacs-source interface as well.

Any ideas?

Regards

Mary

O2_TopUp#debug aaa authentication

AAA Authentication debugging is on

O2_TopUp#debug aaa author

O2_TopUp#debug aaa authorization

AAA Authorization debugging is on

O2_TopUp#term mon

O2_TopUp#

.May 23 10:21:13.543 utc: AAA: parse name=tty67 idb type=-1 tty=-1

.May 23 10:21:13.543 utc: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=67 channel=0

.May 23 10:21:13.543 utc: AAA/AUTHEN: create_user (0x8138BDDC) user='' ruser='' port='tty67' rem_addr='19.46.191.39' authen_type=ASCII service=LOGIN priv=1

.May 23 10:21:13.547 utc: AAA/AUTHEN/START (1430196173): port='tty67' list='' action=LOGIN service=LOGIN

.May 23 10:21:13.547 utc: AAA/AUTHEN/START (1430196173): using "default" list

.May 23 10:21:13.547 utc: AAA/AUTHEN/START (1430196173): Method=TACACS+

.May 23 10:21:13.547 utc: TAC+: send AUTHEN/START packet ver=192 id=1430196173

.May 23 10:21:13.788 utc: TAC+: ver=192 id=1430196173 received AUTHEN status = GETUSER

.May 23 10:21:13.788 utc: AAA/AUTHEN (1430196173): status = GETUSER

.May 23 10:21:17.129 utc: AAA/AUTHEN/CONT (1430196173): continue_login (user='(undef)')

.May 23 10:21:17.129 utc: AAA/AUTHEN (1430196173): status = GETUSER

.May 23 10:21:17.129 utc: AAA/AUTHEN (1430196173): Method=TACACS+

.May 23 10:21:17.129 utc: TAC+: send AUTHEN/CONT packet id=1430196173

.May 23 10:21:17.330 utc: TAC+: ver=192 id=1430196173 received AUTHEN status = GETPASS

.May 23 10:21:17.330 utc: AAA/AUTHEN (1430196173): status = GETPASS

.May 23 10:21:19.457 utc: AAA/AUTHEN/CONT (1430196173): continue_login (user='790100508')

.May 23 10:21:19.457 utc: AAA/AUTHEN (1430196173): status = GETPASS

.May 23 10:21:19.457 utc: AAA/AUTHEN (1430196173): Method=TACACS+

.May 23 10:21:19.457 utc: TAC+: send AUTHEN/CONT packet id=1430196173

.May 23 10:21:21.961 utc: TAC+: ver=192 id=1430196173 received AUTHEN status = PASS

.May 23 10:21:21.961 utc: AAA/AUTHEN (1430196173): status = PASS

.May 23 10:21:21.961 utc: AAA/AUTHOR/EXEC (3081907712): Port='tty67' list='' service=EXEC

.May 23 10:21:21.965 utc: AAA/AUTHOR/EXEC: (3081907712) user='790100508'

.May 23 10:21:21.965 utc: AAA/AUTHOR/EXEC: (3081907712) send AV service=shell

.May 23 10:21:21.965 utc: AAA/AUTHOR/EXEC: (3081907712) send AV cmd*

.May 23 10:21:21.965 utc: AAA/AUTHOR/EXEC (3081907712) found list "default"

.May 23 10:21:21.965 utc: AAA/AUTHOR/EXEC: (3081907712) Method=TACACS+

.May 23 10:21:21.965 utc: AAA/AUTHOR/TAC+: (3081907712): user=790100508

.May 23 10:21:21.965 utc: AAA/AUTHOR/TAC+: (3081907712): send AV service=shell

.May 23 10:21:21.965 utc: AAA/AUTHOR/TAC+: (3081907712): send AV cmd*

.May 23 10:21:22.222 utc: TAC+: (3081907712): received author response status = FAIL

.May 23 10:21:22.226 utc: AAA/AUTHOR/EXEC: Authorization FAILED

.May 23 10:21:24.229 utc: AAA/AUTHEN: free_user (0x8138BDDC) user='790100508' ruser='' port='tty67' rem_addr='19.46.191.39' authen_type=ASCII service=LOGIN priv=1

aaa new-model

aaa authentication login default tacacs+ line

aaa authentication login no_tacacs line

aaa authentication login vtymethod tacacs+ enable

aaa authentication enable default tacacs+ enable

aaa authorization exec default tacacs+ none

aaa accounting update newinfo

aaa accounting exec default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

aaa accounting connection default start-stop tacacs+

!

tacacs-server host 19.46.240.76

tacacs-server host 19.46.240.75

tacacs-server timeout 15

tacacs-server key boi3579

!

line vty 0 4

exec-timeout 15 0

timeout login response 15

password xxx

!

2 REPLIES
Cisco Employee

Re: AAA authentication error

what is the privilege level given to the user defined in tacacs server ?

If using ACS as tacacs server make sure following are selected for user/group:

Shell

Privilege level = 15

~Rohit

Hall of Fame Super Gold

Re: AAA authentication error

Mary

The debug output seems pretty straightforward:

- go to TACACS for authentication

- get prompts for userID and then for password

- send userID and password to TACACS

- authentication is successful

- send authorization request to TACACS

- TACACS denied the authorization

If we want to be even more sure about this it would be nice to have the output of debug tacacs authentication and of debug tacacs authorization in addition to the debug aaa that you have posted.

I do not believe that there is a problem with configuration on the router. There may be an issue with this userID or there may be something unique about this router. Perhaps it is an issue with the setup of the user in TACACS. Does this same userID authenticate and authorize on other routers? If this userID does not authenticate and authorize on other routers then there is something about the way that this particular userID is set up in TACACS. If this userID does authorize on other routers then there must be something unique about this router. Is it perhaps in a different network device group and this user is not granted access to this network device group?

HTH

Rick

176
Views
0
Helpful
2
Replies
CreatePlease to create content