Diagnostic Commands and Tools
The show and debug commands are very important for troubleshooting AAA issues on the router.
show Commands
The show commands in AAA on the router are mainly used to view the status of a user authentication success or failure, and to find the status of the NAS-to-AAA-server connection. The following are some of the important show commands that can be used with the debug commands described in the following sections.
show aaa servers To display information about the number of packets sent to and received from AAA servers. This command was first introduced in IOS version 12.2(6) T and integrated in IOS version 12.3(7) T.
show tacacs To display statistics for a TACACS+ server. This command was first introduced in IOS version 11.2.
show radius statistics To display the RADIUS statistics for accounting and authentication packets. This command was first introduced in IOS version 12.1(3) T.
show users [all] To display information about the active lines on the router. This was first introduced in IOS version 10.0.
show aaa user {all | unique_id} To display attributes related to an AAA session of a single user or all users. This command was first introduced in IOS version 12.2(4) T.
debug Commands
Using AAA debug commands is by far the most useful and easiest way to isolate a problem pertaining to AAA. There are specific commands for specific issues. For instance, if you run into problems with authentication, there is the option to run the basic debug command to see the authentication-related message.
The following three commands are extensively used to isolate issues with AAA:
debug aaa authentication Mainly used for troubleshooting AAA authentication problem.
debug aaa authorization Used to view the success or failure of authorization messages.
debug aaa accounting Used to see the debug message related to accounting issues.
Example 9-1 shows a sample output of AAA.
Example 9-1. Sample debug Output of AAA Commands
Router#debug aaa authentication
Router#debug aaa authorization
Router#debug aaa accounting
Oct 17 02:45:30.110: AAA/BIND(0000002D): Bind i/f
Oct 17 02:45:30.114: AAA/ACCT/EVENT/(0000002D): CALL START
Oct 17 02:45:30.114: Getting session id for NET(0000002D) : db=821C0394
Oct 17 02:45:30.114: AAA/ACCT(00000000): add node, session 16
Oct 17 02:45:30.114: AAA/ACCT/NET(0000002D): add, count 1
Oct 17 02:45:30.114: Getting session id for NONE(0000002D) : db=821C0394
Oct 17 02:45:30.114: AAA/AUTHEN/LOGIN (0000002D): Pick method list 'default'
Oct 17 02:45:36.274: AAA/AUTHOR (0000002D): Method list id=0 not configured. Ski
p author
Router#
To see the communication details between the NAS and AAA server for either TACACS+ or RADIUS, run either debug tacacs or debug RADIUS which will show debug information pertaining to the protocol.
Example 9-2 shows the sample output of TACACS+ debug message.
Example 9-2. Sample Debug Output of tacacs+ Commands
[View full width]
Router#debug tacacs+
Oct 17 02:48:43.238: TPLUS: Queuing AAA Authentication request 46 for processing
Oct 17 02:48:43.238: TPLUS: processing authentication start request id 46
Oct 17 02:48:43.238: TPLUS: Authentication start packet created for 46()
Oct 17 02:48:43.242: TPLUS: Using server 171.69.89.217
Oct 17 02:48:43.242: TPLUS(0000002E)/0/NB_WAIT/8226E298: Started 5 sec timeout
Oct 17 02:48:43.246: TPLUS(0000002E)/0/NB_WAIT: socket event 2
Oct 17 02:48:43.246: TPLUS(0000002E)/0/NB_WAIT: wrote entire 37 bytes request
Oct 17 02:48:43.246: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:43.250: TPLUS(0000002E)/0/READ: Would block while reading
Oct 17 02:48:43.650: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:43.654: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect 16 bytes
data)
Oct 17 02:48:43.654: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:43.654: TPLUS(0000002E)/0/READ: read entire 28 bytes response
Oct 17 02:48:43.654: TPLUS(0000002E)/0/8226E298: Processing the reply packet
Oct 17 02:48:43.654: TPLUS: Received authen response status GET_USER (7)
Oct 17 02:48:45.538: TPLUS: Queuing AAA Authentication request 46 for processing
Oct 17 02:48:45.538: TPLUS: processing authentication continue request id 46
Oct 17 02:48:45.542: TPLUS: Authentication continue packet generated for 46
Oct 17 02:48:45.542: TPLUS(0000002E)/0/WRITE/821C0790: Started 5 sec timeout
Oct 17 02:48:45.542: TPLUS(0000002E)/0/WRITE: wrote entire 22 bytes request
Oct 17 02:48:45.966: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:45.966: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect 16 bytes
data)
Oct 17 02:48:45.966: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:45.970: TPLUS(0000002E)/0/READ: read entire 28 bytes response
Oct 17 02:48:45.970: TPLUS(0000002E)/0/821C0790: Processing the reply packet
Oct 17 02:48:45.970: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 17 02:48:49.526: TPLUS: Queuing AAA Authentication request 46 for processing
Oct 17 02:48:49.530: TPLUS: processing authentication continue request id 46
Oct 17 02:48:49.530: TPLUS: Authentication continue packet generated for 46
Oct 17 02:48:49.530: TPLUS(0000002E)/0/WRITE/821C0790: Started 5 sec timeout
Oct 17 02:48:49.530: TPLUS(0000002E)/0/WRITE: wrote entire 25 bytes request
Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: socket event 1
Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: read entire 18 bytes response
Oct 17 02:48:50.010: TPLUS(0000002E)/0/821C0790: Processing the reply packet
Oct 17 02:48:50.010: TPLUS: Received authen response status PASS (2)
Router#
Note
When AAA debug is running in conjunction with TACACS+ or RADIUS, separate the debug by looking for TPLUS, AAA, and RADIUS. This helps in understanding which part you are having problems with.
Troubleshooting PPP authentication issues requires you to run the debug ppp authentication and debug ppp negotiation commands, which provide details on PPP-related items. The command debug condition user username sets conditional debugging for a specific user and generates output debugs related to the user. This command is helpful in an enterprise environment for troubleshooting.