McAfee Secure

Troubleshoot configuration issues related to accessing AAA server for authentication purposes

Exam: Cisco 642-832 - Troubleshooting and Maintaining Cisco IP Networks (TSHOOT v1.0)

AAA Authentication enables user authentication on the device from an external authentication server (AAA Server). AAA configuration also allows for a fallback mechanism to local device database, in case, the AAA server is unavailable.

Some of the most common problems faced while troubleshooting AAA authentication and their possible fixes are discussed below:

  1. If the AAA authentication does not work, the first thing to check is whether the AAA server is receiving the authentication request or not. If the server logs cannot be obtained, the commands "debug aaa authentication" while attempting to authenticate on the router can provide useful logs. If the AAA server logs show that the request is being received, check the "Shared Key" defined on the device. This key must match the key defined on the AAA server. If a TACACS server is being used, the command "tacacas-server host [IP-ADDRESS] key [SHARED-KEY]" is used to define the key.
  2. If the "debug aaa authentication", "debug [tacacs|radius] authentication" commands show that the authentication request is leaving the router but the AAA server never receives your request then check if an intermediate device has the authentication ports allowed.
  3. The AAA servers require an IP address of the device for their identification. For a device with many interfaces, the authentication request is sent from the interface address that has the active route in the route table. This means, that if the routing changes, the device identification can change which can cause authentication problems. Therefore, it's recommended to create a loopback interface on the device and sent the authentication request via loopback interface. This can be done using "ip tacacs|radius source-interface [INTERFACE-NAME]" command.
  4. If the logs do not indicate authentication requests are being sent, then ensure that you have configured the authentication via AAA. For AAA authentication, it's better to define server groups and then call those groups under your line configuration using the "login authentication [GROUP-NAME] command:

    aaa authentication login GROUP1 group tacacs+ local
    line vty 0 4
    login authentication GROUP1

  5. One of the most common problems is forgetting to use AAA server for "enable" authentication using the command "aaa authentication enable default group tacacs+ enable". This command tells the router to use tacacs server as primary authentication and if it fails, fallback to local enable secret/password.