Cisco Systems 3.3

Appendix A Troubleshooting

Cisco IOS Issues

A-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Under EXEC Commands,

Cisco IOS commands are not

being denied when checked.

Examine the Cisco IOS configuration at the AAA client. If it is not

already present, add the following Cisco IOS command to the AAA

client configuration:

aaa authorization command <0-15> default group TACACS+

The correct syntax for the arguments in the text box is

permit argument or deny argument.

Administrator has been locked

out of the AAA client because of

an incorrect configuration set up

in the AAA client.

If you have a fallback method configured on your AAA client,

disable connectivity to the AAA server and log in using local/line

username and password.

Try to connect directly to the AAA client at the console port. If that

is not successful, consult your AAA client documentation or see the

Password Recovery Procedures page on Cisco.com for information

regarding your particular AAA client.

IETF RADIUS attributes not

supported in Cisco IOS 12.0.5.T

Cisco incorporated RADIUS (IETF) attributes in Cisco IOS

Release 11.1. However, there are a few attributes that are not yet

supported or that require a later version of the Cisco IOS software.

For more information, see the RADIUS Attributes page on

Cisco.com.

Unable to enter Enable Mode

after doing aaa authentication

enable default tacacs+.

Getting error message “Error in

authentication on the router.”

Check the failed attempts log in the ACS. If the log reads “CS

password invalid,” it may be that the user has no enable password

set up. Set the TACACS+ Enable Password within the Advanced

TACACS+ Settings section.

If you do not see the Advanced TACACS+ Settings section among

the user setup options, go to Interface Configuration > Advanced

Configuration Options > Advanced TACACS+ Features and

select that option to have the TACACS+ settings appear in the user

settings. Then select Max privilege for any AAA Client (this will

typically be 15) and enter the TACACS+ Enable Password that you

want the user to have for enable.

Condition Recovery Action