10

Whenever we boot or reboot a Cisco router or switch we have to wait a number of minutes before we can get a username prompt for login. We get a few fail messages

Press RETURN to get started.
% Authentication failed

% Authentication failed

% Authentication failed

Press RETURN to get started.

After a few minutes the below error message comes up and we can then successfully get a username prompt to start the login process.

Aug  9 09:48:25.719: %AAA-3-DROPACCTFAIL: Accounting record dropped, send to server failed: system

Our default AAA config was created a long time ago so it may need some updating if it is the cause of our issues.

VRF devices:

!
aaa new-model
aaa group server tacacs+ tacacs1
 server-private <IP> key 7 <key>
 server-private <IP> key 7 <key>
 ip vrf forwarding <vrf-name>
 ip tacacs source-interface <interface>
aaa authentication login default group tacacs1 local
aaa authentication login no_tacacs enable
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication ppp default group tacacs1
aaa authorization exec default group tacacs1 local
aaa authorization network default group tacacs1 local
aaa accounting exec default start-stop group tacacs1
aaa accounting commands 1 default stop-only group tacacs1
aaa accounting commands 15 default start-stop group tacacs1
aaa accounting network default start-stop group tacacs1
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting connection default start-stop group tacacs1
aaa accounting system default start-stop group tacacs1
aaa session-id common
!

Non-VRF devices:

!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs enable
aaa authentication ppp default group tacacs+
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization network default group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
!
tacacs-server host <ip>
tacacs-server host <ip>
tacacs-server directed-request
tacacs-server key 7 <key>
!
Adam Loveless
  • 3,129
  • 7
  • 30
  • 51
  • what kind of switches and routers? what ios versions? do all of them have management ports in a vrf? – Mike Pennington Aug 09 '13 at 15:33
  • We have just about every model of Catalyst switch and ISR made. We have a wide number of IOS versions in use as well. Happens on old 2900XL code to newer 15.0 code on 2921s. Not all devices have a managment VRF and it happens on those devices as well. – Adam Loveless Aug 09 '13 at 16:47
  • thanks the configs you posted only work inside a vrf... you need a different config for tacacs in the global routing table – Mike Pennington Aug 09 '13 at 16:58
  • We do have a different config template if no VRFs. I'll update my question with necessary information. – Adam Loveless Aug 09 '13 at 17:14

1 Answers1

13

If your switch supports it (not all IOS versions do), the following command should fix this for you:

no aaa accounting system guarantee-first

Here is an article that goes into more depth: Would you mind waiting for 2-3 mins in a console?

And a bit from Cisco's documentation:

Establishing a Session with a Router if the AAA Server is Unreachable

The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users may be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than three minutes.

To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command.

Peter
  • 1,351
  • 12
  • 28