Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

The privilege mode (enable mode) authentication on the TACACS+ server fails on the router and the "% Error in authentication" error message appears

 

Introduction:

This document dicuss an issue faced by an user

 

Different modes available in router:

In Cisco every command mode enables user with a set of related commands.

Cisco CLI has two modes:-

  • User mode
  • Privileged mode

 

In oder to provide security two EXEC modes are used  as two levels of access.

 

EXEC user commands allow you to

  • Connectivity to remote devices
  • Empower the user as he/she can run basic tests
  • Empower user by enabling feature to see system information.
  • Temporary changes can be done using terminal.

 

For access privileged mode user have to go through credential check. User mode commands are also present with commands from Privileged mode.

  • Operating parameters can be given.
  • User can run examination in detail for router's status
  • Testing and debuging can be performed for router operation
  • Accessibility allownace to global and other configuration modes

 

 

Global configuration mode falls after Privileged mode. Source for providing configuration commands can be specified from here:-

  • Terminal
  • Memory
  • The network

Global Configuration mode enables the user to perform complex configuration.

 

Setup Mode: When the router is new and does not contain any configuration file it will directly go to Setup mode. User is welcomed with a prompted dialog which is known as system configuration dialog, in which user provides initial configuration manually.

 

Rom Monitor Mode: When router is not able to find a valid operating system image, or if interrupt is issued during boot sequence, user enters in ROM monitor mode.ROM monitor mode enable user to reboot the device or perform diagnostic tests.

 

Core issue

This issue is due to the presence of Cisco bug ID CSCsh76038.

This issue typically occurs when the aaa authentication enable default group tacacs+ command or the aaa authentication enable default group command that points towards a TACACS+ server group is configured.

When an attempt is made to log into enable mode, this error appears:

Router>enPassword: % Error in authentication.

The debugs show that the router uses "$enab15$" as the username for enable authentication even though this username does not exist in the server or router.

Mar 2 09:20:26.684 EST: AAA/AUTHEN/START (2173693602): Method=tacacs+ (tacacs+)
Mar 2 09:20:26.684 EST: TAC+:
Authenticating using $enab15$
Mar 2 09:20:26.684 EST: TAC+: send AUTHEN/START packet ver=192 id=-2121273694
Mar 2 09:20:26.684 EST: TAC+: Using default tacacs server-group "tacacs+" list.

The TACACS+ server logs this message:

$enab15$ "External DB user invalid or bad password"

The affected Cisco IOS  software releases are listed in this affected versions list.

 

Resolution

The workaround for this issue is to configure a user named "$enab{x}$" on the TACACS+ server, where {x} is the desired privilege level, such as with "$enab15$" for regular enable mode. This password is the enable password.

In order to completely resolve this issue, upgrade the routers to any of these Cisco IOS software releases:

  • Cisco IOS Software Release 12.4(13.8)

  • Cisco IOS Software Release 12.4(13a)

  • Cisco IOS Software Release 12.4(13.8)T

Refer to Cisco Downloads in order to download the suggested Cisco IOS software releases.

 

Problem Type

Troubleshoot software feature

 

Product Family

Cisco Secure access control server

Routers

Error

%Error in authentication.

 

Cisco IOS Software Version

12.4

 

Cisco Secure Access Control Server (ACS)

Cisco Secure ACS for Windows

Cisco Secure ACS for Unix

Features & Tasks

TACACS+

 

VPN, PIX and Router Debugs

EST: TAC+: Authenticating using $enab15$

24197
Views
5
Helpful
0
Comments