Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Device not able to log into AAA server

I hava router with AAA commands that is not able to log into the AAA server. The router is configured in the AAA server, but fails back to local credintals


Re: Device not able to log into AAA server

Hi Russnash,

As per the logs i can see that the authorization is successful and it is pusing the AV pair for priv 15.

.Sep 15 14:06:58 CDT: AAA/AUTHOR/EXEC(00000022): processing AV cmd=
.Sep 15 14:06:58 CDT: AAA/AUTHOR/EXEC(00000022): processing AV priv-lvl=15
.Sep 15 14:06:58 CDT: AAA/AUTHOR/EXEC(00000022): Authorization successful
.Sep 15 14:07:14 CDT: AAA/ACCT/19(00000022): Pick method list 'default'

.Sep 15 14:05:44 CDT: AAA/AUTHOR/EXEC(00000021): Authorization successful

From the debugs we have Tacacs protocol configured for authentication. since we don't have full debugs, please configure this sample configuration andtest the authentication;-

Here is a sample configuration:-

router(config)# enable password XXXXXXX
router(config)# username admin privilege 15 password xxxxx
router(config)# aaa new-model (Enables AAA configuration commands on the router)
router(config)# Tacacs-server host XXXXXXX ( IP address of the ACS server)
router(config)# Tacacs-server key XXXXXX ( This is the same shared secret key which we defined on the ACS for this IOS device)
router(config)# aaa authentication login default group Tacacs+ local

Authenticate telnet users on TACACS+ if TACACS+ is down authenticate users with locally configured telnet username password on router.

router(config)# aaa authentication enable default group Tacacs+ enable

Authenticate the enable password on the TACACS+ if TACACS+ is down authenticate enable password with locally configured enable password on router.

Router(config)# aaa accounting exec default start-stop group TACACS+ (Account all the user which are telneting based on start and stop session on TACACS+)

Router(config)# line vty 04 (Change to line vty line)
Router(config-line)# Login authentication default (Enables tacacs authentication for the vty lines)



Thanks & Regards