Search

Home >> Knowledgebase >> CCNA Security >> Troubleshooting AAA using Debug Commands

Troubleshooting AAA using Debug Commands and test command

AAA Debug Commands

AAA debug commands are very useful in detecting the problems related with AAA Client/Server interaction. Following table lists important AAA debug commands.

AAA Debug Command Description
debug aaa authentication Debug TACACS+ and RADIUS client/server interaction related with AAA Authentication.
debug aaa authorization Debug TACACS+ and RADIUS client/server interaction related with Authorization.
debug aaa accounting Debug TACACS+ and RADIUS client/server interaction related with Accounting.
debug aaa per-user Debug AAA information on a per-user basis.
debug tacacs Debug TACACS+ interaction between the AAA client and the AAA server.
debug radius Debug RADIUS interaction between the AAA client and the AAA server.

Following output shows typical debug output after enabling debug for AAA Authentication and Authorization using "debug aaa authentication" and "debug aaa authorization" commands. 

  *Jan 18 19:58:18.019: AAA/BIND(00000009): Bind i/f
*Jan 18 19:58:18.019: AAA/AUTHEN/LOGIN (00000009): Pick method list 'default'
OmniSecuR1#
*Jan 18 19:58:24.231: AAA/AUTHOR (0x9): Pick method list 'default'
*Jan 18 19:58:24.455: AAA/AUTHOR/EXEC(00000009): processing AV cmd=
*Jan 18 19:58:24.455: AAA/AUTHOR/EXEC(00000009): processing AV priv-lvl=9
*Jan 18 19:58:24.455: AAA/AUTHOR/EXEC(00000009): Authorization successful
OmniSecuR1#
*Jan 18 19:58:30.203: AAA: parse name=tty2 idb type=-1 tty=-1
*Jan 18 19:58:30.203: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jan 18 19:58:30.203: AAA/MEMORY: create_user (0x678D366C) 
user='jajish' ruser='OmniSecuR1' ds0=0 port='tty2' rem_addr='192.168.10.100' authen_type=ASCII 
service=NONE priv=9 initial_task_id='0', vrf= (id=0)
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): Port='tty2' list='' service=CMD
*Jan 18 19:58:30.203: AAA/AUTHOR/CMD: tty2(2580968612) user='jajish'
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV service=shell
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV cmd=configure
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV cmd-arg=terminal
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): send AV cmd-arg=<cr>
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): found list "default"
*Jan 18 19:58:30.203: tty2 AAA/AUTHOR/CMD(2580968612): Method=tacacs+ (tacacs+)
OmniSecuR1#
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): user=jajish
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV service=shell
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV cmd=configure
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV cmd-arg=terminal
*Jan 18 19:58:30.203: AAA/AUTHOR/TAC+: (2580968612): send AV cmd-arg=<cr>
*Jan 18 19:58:30.463: TAC+: (-1713998684): received author response status = PASS_ADD
*Jan 18 19:58:30.467: AAA/AUTHOR (2580968612): Post authorization status = PASS_ADD
*Jan 18 19:58:30.467: AAA/MEMORY: free_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE priv=9 vrf= (id=0)
OmniSecuR1#
*Jan 18 19:58:40.499: AAA: parse name=tty2 idb type=-1 tty=-1
*Jan 18 19:58:40.499: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jan 18 19:58:40.499: AAA/MEMORY: create_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
ds0=0 port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE 
priv=9 initial_task_id='0', vrf= (id=0)
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): Port='tty2' list='' service=CMD
*Jan 18 19:58:40.499: AAA/AUTHOR/CMD: tty2(2643128500) user='jajish'
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV service=shell
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd=interface
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd-arg=GigabitEthernet
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd-arg=0/0
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): send AV cmd-arg=<cr>
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): found list "defaul
OmniSecuR1#t"
*Jan 18 19:58:40.499: tty2 AAA/AUTHOR/CMD(2643128500): Method=tacacs+ (tacacs+)
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): user=jajish
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): send AV service=shell
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): send AV cmd=interface
*Jan 18 19:58:40.499: AAA/AUTHOR/TAC+: (2643128500): send AV cmd-arg=GigabitEthernet
*Jan 18 19:58:40.503: AAA/AUTHOR/TAC+: (2643128500): send AV cmd-arg=0/0
*Jan 18 19:58:40.503: AAA/AUTHOR/TAC+: (2643128500): send AV cmd-arg=<cr>
*Jan 18 19:58:40.763: TAC+: (-1651838796): received author response status = PASS_ADD
*Jan 18 19:58:40.767: AAA/AUTHOR (2643128500): Post authorization status = PASS_ADD
*Jan 18 19:58:40.767: AAA/MEMORY: free_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE priv=9 vrf= (id=0)
OmniSecuR1#
*Jan 18 19:58:49.703: AAA: parse name=tty2 idb type=-1 tty=-1
*Jan 18 19:58:49.703: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jan 18 19:58:49.703: AAA/MEMORY: create_user (0x678D366C) user='jajish' ruser='OmniSecuR1'
ds0=0 port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE 
priv=9 initial_task_id='0', vrf= (id=0)
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): Port='tty2' list='' service=CMD
*Jan 18 19:58:49.703: AAA/AUTHOR/CMD: tty2(4070300996) user='jajish'
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV service=shell
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV cmd=router
OmniSecuR1#
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV cmd-arg=rip
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): send AV cmd-arg=<cr>
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): found list "default"
*Jan 18 19:58:49.703: tty2 AAA/AUTHOR/CMD(4070300996): Method=tacacs+ (tacacs+)
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): user=jajish
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV service=shell
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV cmd=router
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV cmd-arg=rip
*Jan 18 19:58:49.703: AAA/AUTHOR/TAC+: (4070300996): send AV cmd-arg=<cr>
OmniSecuR1#
*Jan 18 19:58:49.975: TAC+: (-224666300): received author response status = FAIL
*Jan 18 19:58:49.979: AAA/AUTHOR (4070300996): Post authorization status = FAIL
*Jan 18 19:58:49.983: AAA/MEMORY: free_user (0x678D366C) user='jajish' ruser='OmniSecuR1' 
port='tty2' rem_addr='192.168.10.100' authen_type=ASCII service=NONE priv=9 vrf= (id=0)

Cisco IOS CLI "test" Command

Another commandline tool which is useful in testing AAA authentication is Cisco IOS CLI "test" command.

The "test" command can be used as shown as below to test AAA authentications.

OmniSecuR1#test aaa group tacacs+ jajish OmniSecu123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

 

 

<< How to configure Cisco Routers and Switches with AAA Authorization and Accouting using TACACS+ protocol through IOS Commands
Parser Views - Role Based Access Control (RBAC) >>
Related Tutorials