OcNOS-DC : Troubleshooting Guide : TACACS+ and AAA
TACACS+ and AAA
This chapter contains steps to resolve TACACS+ and AAA issues.
 
Symptom/Cause
Solution
Server Not Reachable case verification via /var/log/messages or system logs
Make sure the TACACS+ server is running.
Try login via ssh / telnet, if login fails check the following via console:
show system log |include PAM-tacplus
PAM-tacplus : Connection failed srv 0: Transport endpoint is not connected.
The above message confirms that the TACACS+ server is not reachable or not running.
Server Not Reachable case verification Via Enabling the AAA error-enable functionality
Execute the command aaa authentication login error-enable vrf management
Try login via telnet /ssh.
It will display Remote TACACS servers unreachable and will fail to login.
In-correct TACACS+ Username or Password.
Try login via ssh / telnet. if login fails check the following via console:
show system log | include pam status
pam_sm_authenticate: exit with pam status: 7
The above messages confirms that the authentication is failed.
In-correct TACACS+ key
Try login via ssh / telnet. if login fails check the following via console
show system log | include tac_authen_read
tac_authen_read: inconsistent reply body, incorrect key?
The above messages confirms that incorrect key.
User account locked
By default, a user account is locked when a user gives an incorrect password 4 times. Once a user account is locked, by default the lock is cleared after 1200 secs (20 minutes).
The Alert Operlog below appears when a user is locked.
“OcNOS : HOSTP : ALERT : [USER_MGMT_ACCOUNT_LOCKED_1]: Threshold for unsuccessful authentication attempts exceeded by user 'test'. User account will be unlocked after '1200' seconds.”
 
You can configure the maximum fail attempts and unlock timeout using these commands:
aaa local authentication attempts max-fail <1-25>
(The default maximum fail authentication attempts is 4)
aaa local authentication unlock-timeout <1-3600>
(The default unlock timeout for a locked user is 1200 seconds)
 
To manually clear the lock of a user, give this command:
clear aaa local user lockout username USERNAME
 
Possible causes of a user getting locked:
Incorrect password given more than the max-fail attempts.
When copying show running-config output manually and pasting to a file, make sure the username command is in a single line. If there is an embedded newline character in the password, the login fails.
Note: Configure the aaa authentication login default vrf management group tacacs+ local or aaa authentication login default fallback error local vrf management to fall back to local user authentication if a TACACS+ server is not reachable.
The same user can be present locally and in TACACS+ server, but the password can be different.
If a TACACS+ server is not reachable then, use the locally configured password to login.