TACACS+ and AAA

OcNOS-SP : Troubleshooting Guide : TACACS+ and AAA

TACACS+ and AAA

This chapter contains steps to resolve TACACS+ and AAA issues.

Symptom/Cause	Solution
Server Not Reachable case verification via /var/log/messages or system logs	Make sure the TACACS+ server is running. Try login via ssh / telnet, if login fails check the following via console: show system log \|include PAM-tacplus PAM-tacplus : Connection failed srv 0: Transport endpoint is not connected. The above message confirms that the TACACS+ server is not reachable or not running.
Server Not Reachable case verification Via Enabling the AAA error-enable functionality	Execute the command aaa authentication login error-enable vrf management Try login via telnet /ssh. It will display Remote TACACS servers unreachable and will fail to login.
In-correct TACACS+ Username or Password.	Try login via ssh / telnet. if login fails check the following via console: show system log \| include pam status pam_sm_authenticate: exit with pam status: 7 The above messages confirms that the authentication is failed.
In-correct TACACS+ key	Try login via ssh / telnet. if login fails check the following via console show system log \| include tac_authen_read tac_authen_read: inconsistent reply body, incorrect key? The above messages confirms that incorrect key.
User account locked	By default, a user account is locked when a user gives an incorrect password 4 times. Once a user account is locked, by default the lock is cleared after 1200 secs (20 minutes). The Alert Operlog below appears when a user is locked. “OcNOS : HOSTP : ALERT : [USER_MGMT_ACCOUNT_LOCKED_1]: Threshold for unsuccessful authentication attempts exceeded by user 'test'. User account will be unlocked after '1200' seconds.” You can configure the maximum fail attempts and unlock timeout using these commands: aaa local authentication attempts max-fail <1-25> (The default maximum fail authentication attempts is 4) aaa local authentication unlock-timeout <1-3600> (The default unlock timeout for a locked user is 1200 seconds) To manually clear the lock of a user, give this command: clear aaa local user lockout username USERNAME Possible causes of a user getting locked: • Incorrect password given more than the max-fail attempts. • When copying show running-config output manually and pasting to a file, make sure the username command is in a single line. If there is an embedded newline character in the password, the login fails.

Note: Configure the aaa authentication login default vrf management group tacacs+ local or aaa authentication login default fallback error local vrf management to fall back to local user authentication if a TACACS+ server is not reachable.

The same user can be present locally and in TACACS+ server, but the password can be different.

If a TACACS+ server is not reachable then, use the locally configured password to login.