AAA mystery.

Hi Experts,

R2#sh run | sec aaa
aaa new-model
aaa authentication login default local
aaa authorization exec default if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

I have configured R2 to authorize any user who has authenticated successfully.

But when I try access from a remote router R1, the connection is not working as expected.

Trying ... Open

User Access Verification

Username: krishna

% Error in authentication.

Why is it not taking the user to enable mode since he has authenticated successfully.

Debug from R2:

*Mar  1 19:34:22.915: AAA/BIND(0000001A): Bind i/f
*Mar  1 19:34:27.899: AAA/AUTHOR (0000001A): Method=If-authen for method list id=00000000.Skip author
*Mar  1 19:34:29.155: AAA: parse name=tty227 idb type=-1 tty=-1
*Mar  1 19:34:29.155: AAA: name=tty227 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=227 channel=0
*Mar  1 19:34:29.159: AAA/MEMORY: create_user (0x654212E0) user='krishna' ruser='NULL' ds0=0 port='tty227' rem_addr='' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar  1 19:34:29.159: AAA/MEMORY: free_user (0x654212E0) user='krishna' ruser='NULL' port='tty227' rem_addr='' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)




  • Hi Krishna,

    The "if-authenticated" method list allows us to execute the commands even if the TACACS+ server is not reachable. I think your authentication is not successful because of not having enable pasword. 


  • Krishna


    Exec = > prompt which you have so it is "working", however you get priv 1 if either the line is set to priv 1 or the user is set to priv 1.  


    If you want level 15 without prompt then you need to configure the user as a level 15 user and then it will bypass this.




    Add the command

    aaa authentication enable default enable

    enable secret yadiyada


    To get straight to # prompt like mentioned earlier either

    line vy 0 4

    privilege level 15


    username test privilege level 15 secret test (Doesnt work with my 3700 GNS 3-still priivilege 1)

Sign In or Register to comment.