System information

ManualsBrandsDestination Audio ManualsComputer equipmentCS500C

461

462

463

464

465

466

467

468

469

470

Troubleshooting TACACS+ and XTACACS

Book Title

24-474

TACACS+: Users Cannot Log In Using TACACS+

Symptom: Users cannot log in using TACACS+. Either users cannot get the “Username” prompt or

they get the prompt but authentication or authorization fails.

Table 24-5 outlines the problems that might cause this symptom and describes solutions to those

problems.

Table 24-5 TACACS+: Users Cannot Log In Using TACACS+

Possible Problem Solution

Router missing minimum

conﬁguration

Step 1 Use the show running-conﬁg privileged exec command to view the local

router conﬁguration. Look for the following commands:

aaa new-model

aaa authentication login default tacacs+ enable

[...]

tacacs-server host

name

tacacs-server key

key

where name is the IP address or DNS

hostname of the TACACS+ server

and key is the authentication and encryption key.

Step 2 If all these commands are not present, add the missing commands to the

conﬁguration. If there is no key conﬁgured on the TACACS+ daemon, the

tacacs-server key command is not necessary.

aaa authorization command

present

Step 1 Use the show running-conﬁg privileged exec command to view the local

router conﬁguration. Look for an aaa authorization exec tacacs+ global

conﬁguration command entry.

Step 2 If the command is present, remove it from the conﬁguration using the no

version of the command.

PPP

not functioning correctly If PPP is not functioning properly, problems will occur when using TACACS+. Use

the debug ppp negotiation privileged exec command to see whether both sides are

communicating.

Caution: Because debugging output is assigned high priority in the CPU process, it

can render the system unusable. For this reason, use debug commands only to

troubleshoot speciﬁc problems or during troubleshooting sessions with Cisco

technical support staff. Moreover, it is best to use debug commands during periods

of lower network trafﬁc and fewer users. Debugging during these periods decreases

the likelihood that increased debug command processing overhead will affect

system use.

For information on conﬁguring PPP, refer to the Cisco IOS Conﬁguration

Fundamentals Conﬁguration Guide and Conﬁguration Fundamentals Command

Reference.

PAP

is misconﬁgured Step 1 Use the show running-conﬁg privileged exec command to make sure your

conﬁguration includes the following global conﬁguration command:

aaa authentication ppp default if-needed tacacs+

Step 2

If the command is not present, add it to the conﬁguration.

Step 3 In addition, check the conﬁguration of the async interface being used. Use

the show running-conﬁg privileged exec command. The interface must

have the following commands conﬁgured:

encapsulation ppp

ppp authentication pap

Step 4

If these commands are not present, add them to the interface conﬁguration.