Courseiva
DebugPrivileged EXEC

debug aaa authentication

Use this command to enable real-time debugging of AAA authentication events to troubleshoot login failures or misconfigurations.

Syntax·Privileged EXEC
debug aaa authentication

When to Use This Command

  • Diagnosing why a remote user cannot authenticate via RADIUS or TACACS+
  • Verifying the sequence of authentication methods (local, group, etc.) during login
  • Troubleshooting AAA server reachability or shared key mismatches
  • Monitoring authentication attempts during a security audit or change window

Command Examples

Basic AAA Authentication Debug Output

debug aaa authentication
AAA Authentication debugging is on
*Mar  1 00:05:23.123: AAA/BLINK(0): BLINK LOGIN: User=admin
*Mar  1 00:05:23.123: AAA/BLINK(0): BLINK LOGIN: authen_type=1 (ASCII)
*Mar  1 00:05:23.123: AAA/BLINK(0): BLINK LOGIN: source=10.0.0.1
*Mar  1 00:05:23.123: AAA/BLINK(0): BLINK LOGIN: service=1 (LOGIN)
*Mar  1 00:05:23.123: AAA/BLINK(0): BLINK LOGIN: priv=1
*Mar  1 00:05:23.123: AAA: parse name=tty0 idb type=-1 tty=-1
*Mar  1 00:05:23.123: AAA: name=tty0 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=0 channel=0
*Mar  1 00:05:23.123: AAA/MEMORY: create_user (0x123456) user='admin' rcmd='0' acct=0x0
*Mar  1 00:05:23.123: AAA: user authentication methods: local
*Mar  1 00:05:23.123: AAA: authen(1): status = GETPASS
*Mar  1 00:05:23.123: AAA: authen(1): status = PASS
*Mar  1 00:05:23.123: AAA: authen(1): status = PASS

Line 1: Debug enabled. Lines 2-6: BLINK LOGIN shows user 'admin' authenticating from source IP 10.0.0.1 with ASCII password. Lines 7-8: AAA parses the tty line. Line 9: AAA creates a user context. Line 10: Authentication method is 'local'. Lines 11-13: Status transitions from GETPASS (waiting for password) to PASS (success).

Debug with RADIUS Authentication Failure

debug aaa authentication
AAA Authentication debugging is on
*Mar  1 00:10:45.456: AAA/BLINK(0): BLINK LOGIN: User=jdoe
*Mar  1 00:10:45.456: AAA/BLINK(0): BLINK LOGIN: authen_type=1 (ASCII)
*Mar  1 00:10:45.456: AAA/BLINK(0): BLINK LOGIN: source=192.168.1.100
*Mar  1 00:10:45.456: AAA/BLINK(0): BLINK LOGIN: service=1 (LOGIN)
*Mar  1 00:10:45.456: AAA/BLINK(0): BLINK LOGIN: priv=1
*Mar  1 00:10:45.456: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar  1 00:10:45.456: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=0 channel=0
*Mar  1 00:10:45.456: AAA/MEMORY: create_user (0x789012) user='jdoe' rcmd='0' acct=0x0
*Mar  1 00:10:45.456: AAA: user authentication methods: group radius local
*Mar  1 00:10:45.456: AAA: authen(1): status = GETPASS
*Mar  1 00:10:45.456: AAA: authen(1): status = GETPASS
*Mar  1 00:10:45.456: AAA: authen(1): status = FAIL
*Mar  1 00:10:45.456: AAA: authen(1): status = GETPASS
*Mar  1 00:10:45.456: AAA: authen(1): status = PASS

Line 10: Methods are 'group radius local' (RADIUS first, then local). Lines 11-13: After GETPASS, status becomes FAIL (RADIUS rejected or unreachable). Lines 14-15: AAA falls back to local method, GETPASS then PASS (local authentication succeeded).

Understanding the Output

The debug output shows each step of AAA authentication. 'BLINK LOGIN' lines indicate a login attempt with user, authentication type (1=ASCII, 2=CHAP, etc.), source IP, service (1=LOGIN, 2=PPP, etc.), and privilege level. 'AAA: parse name' identifies the line. 'AAA/MEMORY: create_user' creates a user context. 'AAA: user authentication methods' lists the configured methods in order (e.g., 'group radius local'). Status values: GETPASS (waiting for password), PASS (success), FAIL (failure). Multiple GETPASS/FAIL sequences indicate fallback to next method. A successful authentication ends with PASS. Watch for FAIL statuses to identify authentication failures; if all methods fail, the user is denied access.

CCNA Exam Tips

1.

Remember that 'debug aaa authentication' can generate a lot of output; always use 'undebug all' or 'no debug aaa authentication' to disable it.

2.

The exam may ask you to interpret debug output to determine which authentication method succeeded or failed.

3.

Know that 'debug aaa authentication' does not show authorization or accounting details; use 'debug aaa authorization' and 'debug aaa accounting' for those.

4.

Be aware that AAA debug commands are CPU-intensive and should only be used in a lab or during specific troubleshooting windows.

Common Mistakes

Leaving debug enabled after troubleshooting, which can cause high CPU usage and log flooding.

Confusing 'debug aaa authentication' with 'debug aaa authorization' — they show different phases.

Not using 'terminal monitor' when debugging over a remote session (SSH/Telnet), so output is not seen.

Related Commands

show aaa servers

Displays the status and statistics of all configured AAA (Authentication, Authorization, and Accounting) servers, used to verify server reachability and authentication activity.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions