There are several tools and commands available to troubleshoot issues pertaining to AAA on the PIX firewall and FWSM firewall. Among these tools and commands, show and debug commands are among the most useful. This section discusses in detail how to use these commands and tools efficiently.
show commands for AAA on PIX Firewall are used to determine the statistics of the AAA server and other AAA-related issues. This section discusses some show commands that are used often and provides information relevant to good troubleshooting.
Table 10-6 lists commands that are used to display the server statistics, and it lists the meanings of those commands.
Table 10-6. Command Syntax for Server Statistics
show aaa-server <groupname> host <hostname>
Display server statistics for the indicated server.
show aaa-server <groupname>
Display statistics for all servers in the indicated server group.
Display statistics for all aaa-servers across all groups.
show aaa-server protocol <radius| kerberos| tacacs+| ldap| nt_domain| rsa_ace>
Display statistics for all aaa-servers of the identified protocols.
[View full width]clear aaa-server statistics <groupname> host <hostname>
Clear the statistics for all servers in the indicated server group.
clear aaa-server statistics <groupname>
Clear the statistics associated with the indicated server.
clear aaa-server statistics
Clear the statistics for all aaa-servers across all groups.
clear aaa-server statistics protocol <radius| kerberos| tacacs+| ldap| nt_domain| rsa_ace>
Clear the statistics for all aaa-servers of the identified protocols.
Example 10-1 shows the server statistics.
Example 10-1. Displaying Server Statistics
PIX(config)# show aaa-server group1 host 192.168.1.5 Server Group: group1 Server Protocol: RADIUS Server Address: 192.168.1.5 Server port: 1645 Server status: ACTIVE/FAILED. Last transaction (success) at 11:10:08 UTC Fri Aug 22 Average round trip time4ms Number of requests 20 Number of retransmissions 1 Number of accepts 16 Number of rejects 4 Number of challenges 5 Number of malformed responses 0 Number of bad authenticators 0 Number of pending requests 0 Number of timeouts 0 Number of unrecognized responses 0
AAA debug commands are by far the most useful and easiest way to isolate a problem pertaining to AAA. There are specific commands for specific issues. For instance, if you have a problem with authentication, you have the option to run debug only to see the authentication-related message. Following is a list of debug commands available on PIX Firewall to diagnose issues pertaining to AAA.
debug radius This command provides the RADIUS protocol communication information between the PIX firewall and RADIUS Server. The complete syntax of the command is as follows:
[no | show] debug radius <session|decode|all|user <username>>
debug tacacs Just as with the RADIUS debug, this command shows the details of the TACACS protocol between the communications of PIX firewall and AAA server. The syntax of the command is as follows:
[no | show] debug tacacs <session|user <username>>
debug sdi | ntdomain | Kerberos | ldap To get the debug information pertaining to SDI, ntdomain, Kerberos, or Lightweight Directory Access Protocol (LDAP) server, we can run this debug command. This is useful when there is an issue with PIX Firewall and the communication of these servers. Following is the syntax for running the debug for a different authentication server:
[no|show] debug sdi|ntdomain|Kerberos|ldap <1-255>
debug aaa This command is used to see the AAA interaction between the client and the PIX firewall. The syntax of the command is as follows:
[no|show] debug aaa <authentication|authorization|accounting|internal|vpn <1-255>>
All of the options except VPN support only one level (For example, debug aaa authentication, debug aaa authorization, and so on). So even if you define any level between 1 and 255, it will not make any difference. The debug aaa vpn command will accept levels 1-255. However, there are only five meaningful levels, which are described in Table 10-7.
Table 10-7. Different Levels That Can Be Used With the debug aaa vpn Command on a Firewall
Shows error conditions. You should not see any output at this level under normal conditions.
Shows warnings, infrequent, but non-routine occurrences
High level subsystem trace information
Same as level 3, but with more verbose
Same as level 4, but more verbose
Same as level 5
PIX Firewall has extensive syslog capability. To troubleshoot any issue on the PIX firewall, you will find that Syslog is an important piece that is almost always required. Syslog information can be sent into multiple locationsa console, monitor (for Telnet), buffer, or external syslog server. To troubleshoot AAA issues specifically on the PIX firewall after turning the debug on, you must also turn on the syslog to the debug level. Enabling it in this way captures the debug output into syslog. It is recommended to turn on debug to buffer instead of the console or monitor (for Telnet). If the issue requires extensive syslog information, it is best to configure a syslog for the external syslog server. Example 10-2 shows how to turn on the debug level syslog and send the output to different storage areas, such as the external syslog server, buffer, and so on.
Example 10-2. Configuration To Turn on debug Logging For Various Locations
PIX# configure terminal ! Turn on the timestamp for the logging PIX(config)# logging timestamp ! The following command will increase the queue size to be 8192 K. 512 K is the default PIX(config)# logging queue 8192 ! Following command will turn on debug level logging for buffer PIX(config)# logging buffered debugging ! It is strongly recommended to turn off console logging on a busy firewall. You can turn ! off the console logging with the following command PIX(config)# no logging console ! If you want to see the debug on the telnet or ssh screen instead of buffer, turn the ! debug on for monitor with the following command. It is recommended to avoid running ! debug level logging for monitor PIX(config)# logging monitor debugging !Following configuration is to send syslog in debug mode to 192.168.1.70 PIX(config)# logging host inside 192.168.1.70 PIX(config)# logging trap debugging ! Finally you must turn on logging with the following command. PIX(config)# logging enable !To view the syslog messages, you need to execute the following command PIX(config)# show logging PIX(config)#
Other Useful Tools
Problems with AAA occur either on the firewall or on the AAA server itself. To troubleshoot problems on the AAA server side, you need to analyze the log on the AAA server itself. For example, if authentication is failing and PIX configuration is not at fault and you are unable to diagnose the issue with the debug commands and the syslog, you should analyze the log on the AAA server. If Cisco Secure ACS is used for AAA, analyze the package.cab file (refer to Chapter 13, "Troubleshooting Cisco Secure ACS on Windows") to find the cause of the problem.
If neither the firewall log nor the AAA server log provides the information required to get to the root cause of the problem, you can capture sniffer traces between the client and the firewall and the sniffer traces between the firewall and the AAA server. Remember that you should not define the key if the TACACS+ protocol is used to see the packet traces in clear text between the firewall and the AAA server. If the RADIUS protocol is used, then you can sniff and analyze the packets between the firewall and the RADIUS server without any problem.