Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA config problem in C4510R

Hi,

I'm configuring AAA for 4510 switch.All other routers & switches(29xx) are working properly with AAA server.However for 4510 there is a problem in authentication neogotiation with AAA server.Below is AAA config and debug

aaa new-model

aaa authentication login SWAAA group tacacs+ line

aaa authorization exec SWAAA group tacacs+ local

aaa session-id common

tacacs-server host x.x.y.y key 7 110A0A00151C0E18

086431: 8w3d: AAA: parse name=tty2 idb type=-1 tty=-1

086432: 8w3d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

086433: 8w3d: AAA/MEMORY: create_user (0x18558BD8) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='x.x.8.3' auth

en_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

086434: 8w3d: AAA/AUTHEN/START (3464589231): port='tty2' list='SWAAA' action=LOGIN service=LOGIN

086435: 8w3d: AAA/AUTHEN/START (3464589231): found list SWAAA

086436: 8w3d: AAA/AUTHEN/START (3464589231): Method=tacacs+ (tacacs+)

086437: 8w3d: TAC+: send AUTHEN/START packet ver=192 id=3464589231

086438: 8w3d: TAC+: Using default tacacs server-group "tacacs+" list.

086439: 8w3d: TAC+: Opening TCP/IP to x.x.y.y/49 timeout=5

086440: 8w3d: TAC+: Opened TCP/IP handle 0x18753920 to x.x.y.y/49

086441: 8w3d: TAC+: x.x.y.y(3464589231) AUTHEN/START/LOGIN/ASCII queued

086442: 8w3d: TAC+: (3464589231) AUTHEN/START/LOGIN/ASCII processed

086443: 8w3d: TAC+: received bad AUTHEN packet: type = 0, expected 1

086444: 8w3d: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

086445: 8w3d: TAC+: Closing TCP/IP 0x18753920 connection to x.x.y.y/49

086446: 8w3d: TAC+: Using default tacacs server-group "tacacs+" list.

086447: 8w3d: AAA/AUTHEN (3464589231): status = ERROR

086448: 8w3d: AAA/AUTHEN/START (3464589231): Method=LINE

086449: 8w3d: AAA/AUTHEN (3464589231): status = GETPASS

086450: 8w3d: AAA/AUTHEN/CONT (3464589231): continue_login (user='(undef)')

086451: 8w3d: AAA/AUTHEN (3464589231): status = GETPASS

086452: 8w3d: AAA/AUTHEN/CONT (3464589231): Method=LINE

086453: 8w3d: AAA/AUTHEN (3464589231): status = PASS

086454: 8w3d: AAA/MEMORY: dup_user (0x18753770) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr=x.x.y.yauthen_

type=ASCII service=ENABLE priv=15 source='AAA dup enable'

086455: 8w3d: AAA/AUTHEN/START (453338276): port='tty2' list='' action=LOGIN service=ENABLE

086456: 8w3d: AAA/AUTHEN/START (453338276): non-console enable - default to enable password

086457: 8w3d: AAA/AUTHEN/START (453338276): Method=ENABLE

086458: 8w3d: AAA/AUTHEN (453338276): status = GETPASS

086459: 8w3d: AAA/AUTHEN/CONT (453338276): continue_login (user='(undef)')

086460: 8w3d: AAA/AUTHEN (453338276): status = GETPASS

086461: 8w3d: AAA/AUTHEN/CONT (453338276): Method=ENABLE

086462: 8w3d: AAA/AUTHEN (453338276): status = PASS

086463: 8w3d: AAA/MEMORY: free_user (0x18753770) user='NULL' ruser='NULL' port='tty2' rem_addr=x.x.y.y authen_type=

ASCII service=ENABLE priv=15

Thanks,

Sourav

2 REPLIES
Gold

Re: AAA config problem in C4510R

Could you try enter keys on ACS and on switch again??? it looks that keys are not matching ... Sometimes eventhough keys are entered correctly on ACS re-entering of keys is needed

M.

Re: AAA config problem in C4510R

086444: 8w3d: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

Switch could be using different shared secret key as what is configured in AAA (for AAA client) - due to extra characters or key completely wrong.

Check the failed authentication log (reason/solution) in AAA Server for mismatch key:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007dee6.html

*look for mistmatch key at the end of page

HTH

AK

227
Views
0
Helpful
2
Replies
CreatePlease to create content