OcNOS-SP : Troubleshooting Guide : TACACS+ and AAA
TACACS+ and AAA
This chapter contains steps to resolve TACACS+ and AAA issues.
 
Symptom/Cause
Solution
Server Not Reachable case verification via /var/log/messages or system logs
Make sure the TACACS+ server is running.
Try login via ssh / telnet, if login fails check the following via console:
show system log |include PAM-tacplus
PAM-tacplus : Connection failed srv 0: Transport endpoint is not connected.
The above message confirms that the TACACS+ server is not reachable or not running.
Server Not Reachable case verification Via Enabling the AAA error-enable functionality
Execute the command aaa authentication login error-enable vrf management
Try login via telnet /ssh.
It will display Remote TACACS servers unreachable and will fail to login.
In-correct TACACS+ Username or Password.
Try login via ssh / telnet. if login fails check the following via console:
show system log | include pam status
pam_sm_authenticate: exit with pam status: 7
The above messages confirms that the authentication is failed.
In-correct TACACS+ key
Try login via ssh / telnet. if login fails check the following via console
show system log | include tac_authen_read
tac_authen_read: inconsistent reply body, incorrect key?
The above messages confirms that incorrect key.
User account locked
By default, a user account is locked when a user gives an incorrect password 4 times. Once a user account is locked, by default the lock is cleared after 1200 secs (20 minutes).
The Alert Operlog below appears when a user is locked.
“OcNOS : HOSTP : ALERT : [USER_MGMT_ACCOUNT_LOCKED_1]: Threshold for unsuccessful authentication attempts exceeded by user 'test'. User account will be unlocked after '1200' seconds.”
 
You can configure the maximum fail attempts and unlock timeout using these commands:
aaa local authentication attempts max-fail <1-25>
(The default maximum fail authentication attempts is 4)
aaa local authentication unlock-timeout <1-3600>
(The default unlock timeout for a locked user is 1200 seconds)
 
To manually clear the lock of a user, give this command:
clear aaa local user lockout username USERNAME
 
Possible causes of a user getting locked:
Incorrect password given more than the max-fail attempts.
When copying show running-config output manually and pasting to a file, make sure the username command is in a single line. If there is an embedded newline character in the password, the login fails.
Note: Configure the aaa authentication login default vrf management group tacacs+ local or aaa authentication login default fallback error local vrf management to fall back to local user authentication if a TACACS+ server is not reachable.
The same user can be present locally and in TACACS+ server, but the password can be different.
If a TACACS+ server is not reachable then, use the locally configured password to login.
AAA console authentication via Management VRF
 
Symptom/Cause
Solution
Enabling console authentication via the TACACS server and having the TACACS server reachable only through the Management (MGMT) VRF leads to login failures. This occurs because console login operates in the default VRF, while the TACACS server resides in the MGMT VRF. As a result, the TACACS client in the default VRF cannot establish communication with the server in the MGMT VRF.
To establish reachability of the TACACS Server from the Default VRF, follow these steps:
 
Utilize the default loopback interface as the source interface for TACACS. You can also select any other interface within the Default VRF.
 
Introduce a static route in the Default VRF to reach the TACACS server. This step facilitates route leaking.
 
Implement a static route in the MGMT VRF to access the loopback interface in the Default VRF. This is another instance of route leaking.
 
Configure a static route in the TACACS server, enabling it to reach the loopback interface within the Default VRF.
Example:
Upon implementing the configurations provided below, console authentication now takes place via the TACACS server (10.12.159.141), which is accessible through the MGMT VRF.
OcNOS#sh running-config aaa
aaa authentication login console group tacacs+
 
OcNOS#sh running-config tacacs+
feature tacacs+
tacacs-server login host 10.12.159.141 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312
b2bc74cedb
 
OcNOS#sh running-config interface lo
!
interface lo
ip address 127.0.0.1/8
ip address 1.1.1.1/24 secondary
ipv6 address ::1/128
!
 
OcNOS#sh running-config ip route
!
ip route 10.12.159.141/32 eth0
ip route vrf management 1.1.1.1/32 lo global
!
 
OcNOS#show ip interface eth0 brief
'*' - address is assigned by dhcp client
 
Interface IP-Address Admin-Status Link-Status
eth0 *10.12.159.117 up up
 
Route to be Added in TACACS Server:
ip route add 1.1.1.1/32 via 10.12.159.117