Troubleshooting and verifying TACACS+ can be rather complex because it’s used so often with other features, such as PPP. Remember to use the troubleshooting commands associated with any protocols or technologies working with TACACS+.
Two show commands that are useful in debugging AAA are the following:
show running-config |
To verify local TACACS+ is configured correctly, enter |
show tacacs |
To verify network connectivity between NAS and AAA server |
Cisco IOS debug command output provides a valuable source of information and feedback concerning state transitions and functions within the AAA environment. In addition to debug command output gathered directly from devices running Cisco IOS, the Cisco AAA server can be configured to collect operational diagnostics. Use the following debug commands to capture AAA-related transitions and functions.
debug condition user username |
Sets conditional debugging for a specific user and generates output debugs related to the user |
debug aaa authentication |
Displays authentication information with TACACS+ client/ server interaction |
debug aaa authorization |
Displays authorization information with TACACS+ client/ server interaction |
debug aaa accounting |
Displays accounting information with TACACS+ client/server interaction |
debug tacacs |
Displays TACACS+ interaction between the IOS client and the AAA server |
debug ppp negotiation |
Sees if a client is passing PPP negotiation |
debug ppp authentication |
Sees if a client is passing authentication |
debug ppp error |
Displays protocol errors and error statistics associated with PPP connection negotiation and operation |
Chapter 4 looked at the various commands to implement AAA features on the NAS. This chapter reviews the basic commands to allow the AAA client running on a NAS to locate and communicate with Cisco Secure ACS RADIUS+ server.
To define one or more RADIUS servers, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host. The syntax is
Rtr1(config)#radius-server host {hostname | ip-address} [auth-port port-number]
?[acct-port port-number] [timeout seconds] [retransmit retries] [key string]
?[alias{hostname | ip-address}]
Rtr1(config)#no radius-server host {hostname | ip-address} [auth-port port-number]
[acct-port port-number] [timeout seconds] [retransmit retries] [key string]
hostname |
DNS name of the RADIUS server. |
ip-address |
IP address of the RADIUS server. |
auth-port |
(Optional) To specify a UDP destination port for authentication requests. |
port-number |
(Optional) Port number for authentication requests. The host isn’t used for authentication if set to 0. |
acct-port |
(Optional) To specify a UDP destination port for accounting requests. |
port-number |
(Optional) Port number for accounting requests. The host isn’t used for accounting if set to 0. |
Use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order they’re specified.
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.
Rtr1(config)#aaa new-model Rtr1(config)#radius-server host host1.domain.com
The next example defines port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named 192.168.1.4. Because entering a line resets all the port numbers, you must specify a host and configure both the accounting and authentication ports on a single line.
Rtr1(config)#aaa new-model Rtr1(config)#radius-server host 192.168.1.4 auth-port 12 acct-port 16
To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server 192.168.1.4 be used for accounting, but not for authentication, and RADIUS server host1 be used for authentication, but not for accounting:
Rtr1(config)#aaa new-model Rtr1(config)#radius-server host 192.168.1.4 auth-port 0 Rtr1(config)#radius-server host host1.domain.com acct-port 0
The authentication and encryption key must be set using the radius-server key global configuration command. Use the no form of this command to disable the key.
Rtr1(config)#radius-server key key Rtr1(config)#no radius-server key [key]
key |
A character entry, this key must match the key used on the RADIUS daemon. Any leading spaces are ignored, but spaces within and at the end of the key are not. Don’t enclose the key in quotation marks unless they’re part of the key. |
The following example shows an AAA RADIUS implementation with the authentication and encryption key set to seattle19:
Rtr1(config)#aaa new-model Rtr1(config)#radius-server host 192.168.1.4 Rtr1(config)#radius-server key seattle19