Troubleshooting Authentication
If you encounter issues with your AAA authentication, you can use the debug aaa authentication
command to display the communication between the Cisco Security Appliance and the AAA
server. This command lets you determine the method of authentication and verify successful
communication between the Security Appliance and the AAA server. Example 18-12 shows
where a login causes the Security Appliance to initiate a connection to the AAA server at
17.16.1.2, requesting a login using TACACS+ and generating an eight-digit session ID. The
session ID is used to distinguish between multiple concurrent authentication requests.
debug aaa authentication Command Output (Continued)
PIX-Firewall# debug aaa authentication
10:15:01: AAA/AUTHEN: create-user user=’’ ruser=’’ port=’tty19’
rem-addr=’172.16.1.2’ authen-type=1 service=1 priv=1
10:15:01: AAA/AUTHEN/START (0): port=’tty19’ list=’’ action=LOGIN service=LOGIN
10:15:01: AAA/AUTHEN/START (0): using “default” list
10:15:01: AAA/AUTHEN/START (12345678): Method=TACACS+
10:15:01: TAC+ (12345678): received authen response status = GETUSER
10:15:02: AAA/AUTHEN (12345678): status = GETUSER
10:15:02: AAA/AUTHEN/CONT (12345678): continue-login
10:15:02: AAA/AUTHEN (12345678): status = GETUSER
10:15:02: AAA/AUTHEN (12345678): Method=TACACS+
10:15:02: TAC+: send AUTHEN/CONT packet
10:15:03: TAC+ (12345678): received authen response status = GETPASS
10:15:03: AAA/AUTHEN (12345678): status = GETPASS
10:15:03: AAA/AUTHEN/CONT (12345678): continue-login
10:15:03: AAA/AUTHEN (12345678): status = GETPASS
10:15:03: AAA/AUTHEN (12345678): Method=TACACS+
10:15:03: TAC+: send AUTHEN/CONT packet
10:15:03: TAC+ (12345678): received authen response status = PASS
10:15:03: AAA/AUTHEN (12345678): status = PASS