Troubleshoot issues with RADIUS or TACACS authentication to Director
You cannot authenticate to Director using RADIUS or TACACS.
Perform the following steps to troubleshoot RADIUS or TACACS+ authentication issues.
Fix "Permission denied" error when logging in through SSH terminal
This issue could occur due to one of the following reasons.
* See the Additional Resources section for links to instructions on configuring the authentication server.
Look for authentication errors in /var/log messages
You can tail /var/log messages while you attempt to authenticate to display errors in authentication.
In the SSH terminal, issue the following CLI commands:
While the messages screen is running, attempt to authenticate.
A successful authentication will look like the following:
In the previous example, the user successfully logs in, enters enable mode, and then enters configuration mode.
The following lines are not errors and can be ignored:
Prevent an "auth reject" on subsequent login attempts
For some RADIUS and TACACS+ servers, you can issue the following commands to prevent an "auth reject" on the second or third login attempt.
Perform a packet capture
Take a packet capture (PCAP) of the interaction. A successful interaction consists of two packets as shown in the following example (taken using Wireshark's Summary (text) feature):
10.78.51.105 is the IP address of the Director appliance and 10.9.31.100 is the IP address of the Cisco ACS server.
Verify your privilege level
You might be able to authenticate, but once logged in find that your access is not as expected. Issue the following CLI command to check your privilege level:
Note: In SGME 184.108.40.206, the Configure Device tab is unavailable but the Add Device tab is available. This is not a privileges issue. To fix the problem, upgrade to 220.127.116.11 or later.
Refer to the following resources for more information:
Rate this Page
Please take a moment to complete this form to help us better serve you.