Symptom/Cause | Solution |
|---|---|
Server Not Reachable case verification via /var/log/messages or system logs | Make sure the TACACS+ server is running. Try login via ssh / telnet, if login fails check the following via console: show system log |include PAM-tacplus PAM-tacplus : Connection failed srv 0: Transport endpoint is not connected. The above message confirms that the TACACS+ server is not reachable or not running. |
Server Not Reachable case verification Via Enabling the AAA error-enable functionality | Execute the command aaa authentication login error-enable vrf management Try login via telnet /ssh. It will display Remote TACACS servers unreachable and will fail to login. |
In-correct TACACS+ Username or Password. | Try login via ssh / telnet. if login fails check the following via console: show system log | include pam status pam_sm_authenticate: exit with pam status: 7 The above messages confirms that the authentication is failed. |
In-correct TACACS+ key | Try login via ssh / telnet. if login fails check the following via console show system log | include tac_authen_read tac_authen_read: inconsistent reply body, incorrect key? The above messages confirms that incorrect key. |
User account locked | By default, a user account is locked when a user gives an incorrect password 4 times. Once a user account is locked, by default the lock is cleared after 1200 secs (20 minutes). The Alert Operlog below appears when a user is locked. “OcNOS : HOSTP : ALERT : [USER_MGMT_ACCOUNT_LOCKED_1]: Threshold for unsuccessful authentication attempts exceeded by user 'test'. User account will be unlocked after '1200' seconds.” You can configure the maximum fail attempts and unlock timeout using these commands: aaa local authentication attempts max-fail <1-25> (The default maximum fail authentication attempts is 4) aaa local authentication unlock-timeout <1-3600> (The default unlock timeout for a locked user is 1200 seconds) To manually clear the lock of a user, give this command: clear aaa local user lockout username USERNAME Possible causes of a user getting locked: • Incorrect password given more than the max-fail attempts. • When copying show running-config output manually and pasting to a file, make sure the username command is in a single line. If there is an embedded newline character in the password, the login fails. |
Symptom/Cause | Solution |
Enabling console authentication via the TACACS server and having the TACACS server reachable only through the Management (MGMT) VRF leads to login failures. This occurs because console login operates in the default VRF, while the TACACS server resides in the MGMT VRF. As a result, the TACACS client in the default VRF cannot establish communication with the server in the MGMT VRF. | To establish reachability of the TACACS Server from the Default VRF, follow these steps: Utilize the default loopback interface as the source interface for TACACS. You can also select any other interface within the Default VRF. Introduce a static route in the Default VRF to reach the TACACS server. This step facilitates route leaking. Implement a static route in the MGMT VRF to access the loopback interface in the Default VRF. This is another instance of route leaking. Configure a static route in the TACACS server, enabling it to reach the loopback interface within the Default VRF. |