Troubleshooting guide

ManualsBrandsCisco ManualsComputer equipmentC8510-SRP - Switch Route Processor

451

452

453

454

455

456

457

458

459

460

(DRAFT LABEL) FINAL DRAFT - CISCO CONFIDENTIAL 2/13/02

B-4

ATM and Layer 3 Switch Router Troubleshooting Guide

OL-1969-01

Appendix Troubleshooting TACACS+ and Recovering Passwords

Troubleshooting TACACS+ Problems

Users Cannot Connect Using TACACS+

Symptom: Users cannot log in using TACACS+. Either users cannot get the Username prompt or they

get the prompt but authentication or authorization fails.

Table B-5 outlines possible problems and describes solutions.

Table B-5 TACACS+: Users Cannot Log in Using TACACS+

Possible Problem Solution

Switch router missing minimum

configuration

1. Use the show running-config privileged EXEC command to view the local

switch router configuration. Look for the following commands:

aaa new-model

aaa authentication login default tacacs+ enable

[...]

tacacs-server host name

tacacs-server key key

where name is the IP address or DNS

host name of the TACACS+ server and

key is the authentication and encryption key.

2. If all of these commands are not present, add the missing commands to the

configuration. If there is no key configured on the TACACS+ daemon, the

tacacs-server key command is not necessary.

aaa authorization command is present

1. Use the show running-config privileged EXEC command to view the local

switch router configuration. Look for an aaa authorization exec tacacs+

global configuration command entry.

2. If the command is present, remove it from the configuration by using the

no version of the command.

PPP

not functioning correctly If PPP is not functioning properly, problems will occur when using TACACS+. Use

the debug ppp negotiation privileged EXEC command to see if both sides are

communicating.

For information on configuring PPP, refer to the

Cisco IOS Dial Solutions Configuration Guide: Terminal Services and

Cisco IOS Dial Solutions Command Reference publications.

PAP

is misconfigured 1. Use the show running-config privileged EXEC command to make sure your

configuration includes the following global configuration command:

aaa authentication ppp default if-needed tacacs+

2. If the command is not present, add it to the configuration.

3. In addition, check the configuration of the async interface being used. The

interface must have the following commands configured:

encapsulation ppp

ppp authentication pap

4. If these commands are not present, add them to the interface configuration.