beautypg.com

Cisco 3.3 User Manual

Page 650

background image

Appendix A Troubleshooting

Cisco IOS Issues

A-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Under EXEC Commands,
Cisco IOS commands are not
being denied when checked.

Examine the Cisco IOS configuration at the AAA client. If it is not
already present, add the following Cisco IOS command to the AAA
client configuration:

aaa authorization command <0-15> default group TACACS+

The correct syntax for the arguments in the text box is
permit argument or deny argument.

Administrator has been locked
out of the AAA client because of
an incorrect configuration set up
in the AAA client.

If you have a fallback method configured on your AAA client,
disable connectivity to the AAA server and log in using local/line
username and password.

Try to connect directly to the AAA client at the console port. If that
is not successful, consult your AAA client documentation or see the

Password Recovery Procedures

page on Cisco.com for information

regarding your particular AAA client.

IETF RADIUS attributes not
supported in Cisco IOS 12.0.5.T

Cisco incorporated RADIUS (IETF) attributes in Cisco IOS
Release 11.1. However, there are a few attributes that are not yet
supported or that require a later version of the Cisco IOS software.
For more information, see the

RADIUS Attributes

page on

Cisco.com.

Unable to enter Enable Mode
after doing

aaa authentication

enable default tacacs+

.

Getting error message “Error in
authentication on the router.”

Check the failed attempts log in the ACS. If the log reads “CS
password invalid,” it may be that the user has no enable password
set up. Set the TACACS+ Enable Password within the Advanced
TACACS+ Settings
section.

If you do not see the Advanced TACACS+ Settings section among
the user setup options, go to Interface Configuration > Advanced
Configuration Options > Advanced TACACS+ Features
and
select that option to have the TACACS+ settings appear in the user
settings. Then select Max privilege for any AAA Client (this will
typically be 15) and enter the TACACS+ Enable Password that you
want the user to have for enable.

Condition

Recovery Action