OmniSecu.com Logo  
omnisecu.com free mcse ccna rhce linux java learning
omnisecu.com free mcse ccna rhce linux java learning
          Sharefacebook twitter google+ google bookmark yahoo bookmark delicious digg linkedin pinterest reddit stumbleupon evernote diigo blinklist blogmarks livejournal email feed

Tutorials

Troubleshooting AAA using Debug Commands and test command

External Resources

AAA Debug Commands

AAA debug commands are very useful in detecting the problems related with AAA Client/Server interaction. Following table lists important AAA debug commands.

AAA Debug Command Description
debug aaa authentication Debug TACACS+ and RADIUS client/server interaction related with AAA Authentication.
debug aaa authorization Debug TACACS+ and RADIUS client/server interaction related with Authorization.
debug aaa accounting Debug TACACS+ and RADIUS client/server interaction related with Accounting.
debug aaa per-user Debug AAA information on a per-user basis.
debug tacacs Debug TACACS+ interaction between the AAA client and the AAA server.
debug radius Debug RADIUS interaction between the AAA client and the AAA server.

Following output shows typical debug output after enabling debug for AAA Authentication and Authorization using "debug aaa authentication" and "debug aaa authorization" commands.

  *Jan 18 19:58:18.019: AAA/BIND(00000009): Bind i/f
*Jan 18 19:58:18.019: AAA/AUTHEN/LOGIN (00000009): Pick method list 'default'
OmniSecuR1#
*Jan 18 19:58:24.231: AAA/AUTHOR (0x9): Pick method list 'default'
*Jan 18 19:58:24.455: AAA/AUTHOR/EXEC(00000009): processing AV cmd=
*Jan 18 19:58:24.455: AAA/AUTHOR/EXEC(00000009): processing AV priv-lvl=9
*Jan 18 19:58:24.455: AAA/AUTHOR/EXEC(00000009): Authorization successful
OmniSecuR1#
*Jan 18 19:58:30.203: AAA: parse name=tty2 idb type=-1 tty=-1
*Jan 18 19:58:30.203: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jan 18 19:58:30.203: AAA/MEMORY: create_user (0x678D366C) 
user='jajish' ruser='OmniSecuR1' ds0=0 port='tty2' rem_addr='192.168.10.100' authen_type=ASCII 
service=NONE priv=9 initial_task_id='0', vrf= (id=0)
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): Port='tty2' list='' service=CMD
*Jan 18 19:58:30.203: AAA/AUTHOR/CMD: tty2(2580968612) user='jajish'
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV service=shell
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV cmd=configure
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV cmd-arg=terminal
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV cmd-arg=
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): found list "default"
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): Method=tacacs+ (tacacs+)
OmniSecuR1#
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): user=jajish
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV service=shell
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV cmd=configure
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV cmd-arg=terminal
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV cmd-arg=
*Jan 18 19:58:30.463: TAC+: (-1713998684): received author response status = PASS_ADD
*Jan 18 19:58:30.467: AAA/AUTHOR (2580968612): Post authorization status = PASS_ADD
*Jan 18 19:58:30.467: AAA/MEMORY: free_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE priv=9 vrf= (id=0)
OmniSecuR1#
*Jan 18 19:58:40.499: AAA: parse name=tty2 idb type=-1 tty=-1
*Jan 18 19:58:40.499: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jan 18 19:58:40.499: AAA/MEMORY: create_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
ds0=0 port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE 
priv=9 initial_task_id='0', vrf= (id=0)
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): Port='tty2' list='' service=CMD
*Jan 18 19:58:40.499: AAA/AUTHOR/CMD: tty2(2643128500) user='jajish'
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV service=shell
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd=interface
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd-arg=GigabitEthernet
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd-arg=0/0
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd-arg=
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): found list "defaul
OmniSecuR1#t"
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): Method=tacacs+ (tacacs+)
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): user=jajish
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): send AV service=shell
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): send AV cmd=interface
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): send AV cmd-arg=GigabitEthernet
*Jan 18 19:58:40.503: AAA/AUTHOR/TAC+: (2643128500): send AV cmd-arg=0/0
*Jan 18 19:58:40.503: AAA/AUTHOR/TAC+: (2643128500): send AV cmd-arg=
*Jan 18 19:58:40.763: TAC+: (-1651838796): received author response status = PASS_ADD
*Jan 18 19:58:40.767: AAA/AUTHOR (2643128500): Post authorization status = PASS_ADD
*Jan 18 19:58:40.767: AAA/MEMORY: free_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE priv=9 vrf= (id=0)
OmniSecuR1#
*Jan 18 19:58:49.703: AAA: parse name=tty2 idb type=-1 tty=-1
*Jan 18 19:58:49.703: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jan 18 19:58:49.703: AAA/MEMORY: create_user (0x678D366C) user='jajish' ruser='OmniSecuR1'
ds0=0 port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE 
priv=9 initial_task_id='0', vrf= (id=0)
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): Port='tty2' list='' service=CMD
*Jan 18 19:58:49.703: AAA/AUTHOR/CMD: tty2(4070300996) user='jajish'
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV service=shell
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV cmd=router
OmniSecuR1#
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV cmd-arg=rip
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV cmd-arg=
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): found list "default"
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): Method=tacacs+ (tacacs+)
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): user=jajish
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV service=shell
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV cmd=router
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV cmd-arg=rip
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV cmd-arg=
OmniSecuR1#
*Jan 18 19:58:49.975: TAC+: (-224666300): received author response status = FAIL
*Jan 18 19:58:49.979: AAA/AUTHOR (4070300996): Post authorization status = FAIL
*Jan 18 19:58:49.983: AAA/MEMORY: free_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE priv=9 vrf= (id=0)

Cisco IOS CLI "test" Command

Another commandline tool which is useful in testing AAA authentication is Cisco IOS CLI "test" command.

The "test" command can be used as shown as below to test AAA authentications.

OmniSecuR1#test aaa group tacacs+ jajish OmniSecu123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated. 

 

 

              Jajish Thomason Google+
Related Topics
comments powered by Disqus


eXTReMe Tracker DMCA.com