topic aaa new-modelaaa in Network Access Control

local username does not work when management interface is down

dwsmithjr — Mon, 11 Mar 2019 06:39:32 GMT

On switches when the management interface is down (vlan1), we cannot login from the console using the local username and password. if the management interface is up but TACACS is not available, it works fine for a vty interface. If you connect to console and TACACS is available, the TACACS login for course works and local does not.

We need to be able to use the command "username xxx secret" and be able to login when connected to the console port when TACACS is not available or the management interface is down, using the local username and password.

Can you please post the AAA

Javier Henderson — Fri, 08 Apr 2016 17:30:49 GMT

Can you please post the AAA configuration on your switch?

Javier Henderson

Cisco Systems

aaa new-modelaaa

dwsmithjr — Fri, 08 Apr 2016 17:33:23 GMT

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo

username XXX secret XXXXXX

We will need more to go

Javier Henderson — Fri, 08 Apr 2016 17:40:08 GMT

We will need more to go further, for example, do you have VLAN 1 as the source for TACACS+ packets?

When I said the AAA configuration, I meant everything related to it.

Javier Henderson

Cisco Systems

Yes, Vlan1 is the TACACS

dwsmithjr — Fri, 08 Apr 2016 18:35:18 GMT

Yes, Vlan1 is the TACACS source interface. I'll gather the rest of the configuration information relating to TACACS. We are able to login with the local account when we connect remotely using a vty interface (SSH) and TACACS is not available. That works fine.

We cannot login using the console interface when the router is disconnected from the network, say when it is being initially configured, has been rebooted and the tech is trying to reconnect through the console port. So, the management interface or vlan is down.

Here is the scenario. A tech

dwsmithjr — Fri, 08 Apr 2016 18:38:08 GMT

Here is the scenario. A tech is configuring a switch to be deployed to a location using the console port. They add the configuration which includes "username XXX secret XXXXXXX. They then save the configuration and reboot the switch. The switch is not connected to any network at this point.

When the switch comes up, they attempt to login again through the console port and cannot authenticate. The login is denied.

Vlan1 is the management interface and the TACACS source interface.

Let me know if you need

dwsmithjr — Mon, 11 Apr 2016 11:59:07 GMT

Let me know if you need anything else.

aaa group server tacacs+ ACS53
server name XXX
server name XXX

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo

aaa session-id common

interface Vlan1
description <Serial number and Asset tag>
ip address <INSERT SWITCH IP ADDRESS> xxx.xxx.xxx.0
no ip redirects
no ip unreachables
no ip route-cache
no shut

ip tacacs source-interface Vlan1

tacacs-server timeout 20
tacacs server XXX
address ipv4 xx.xxx.xxx.xxx
key 7 xxxxxxxxxxxxxxxx
tacacs server XXX
address ipv4 xxx.xxx.xxx.xxx
key 7 xxxxxxxxxxxxxxxx
tacacs-server directed-request

We've resolved the issue. It

dwsmithjr — Mon, 11 Apr 2016 18:15:02 GMT

We've resolved the issue. It was a "user error" on the part of some of the people configuring the switches.