04-07-2021 12:33 PM
Hello all,
We have a fully deployed fabric, and all of our leaves have their console ports connected to a central Console Manager (please note, I'm referring to the console port, not the management port).
I can connect to the console port on the leaves just fine via the Console Manager, but at the console login prompt on the leaf, I'm not sure what credentials to use, and for the life of me I haven't been able to find anything on the internet that explains it.
Is there somewhere in ACI that you configure the console port settings for your leaves, or is it something that you setup locally on the leaf itself ( maybe on a per-leaf-model basis ), or ?
Thanks!
Solved! Go to Solution.
04-08-2021 08:58 AM
Robert, thanks. I was able to figure it out. I had to use the local admin username and password that we had set on the APIC. Learned something new!
04-07-2021 02:30 PM
Hi @vv0bbLeS,
Hopefully someone else can confirm this, but I believe that there is no use for the console port on a Nexus ACI switch. Out-of-band management (which is what a console port was traditionally used for) is now achieved via the 1Gbps Mgmt0 ethernet interface.
So what you get when you connect to the console is access to the underlying Unix/linux operating system.
So I'm guessing the username is root and the password can (probably) only be obtained via a TAC call. And the TAC would want a pretty good reason for you needing it, and it would be via a token that would (probably) only last for 30 mins
Now, I must add a caveat here - this is mostly conjecture, but I'm 50% confident that I'm at least 50% correct. I hope that has given me enough wiggle room to bow out gracefully if someone else comes along and completly contradicts me : )
12-07-2023 11:12 PM - edited 12-31-2023 09:13 PM
I'll acknowledge there's mostly no reason to login to an ACI leaf/spine console port. Nearly always, the inband (SSH from APIC to TEP address) and out-of-band (SSH to mgmt0) are fine for standard and contingency access.
However, console is key in situations where these don't work:
The third I've used the most, especally the first time I bootstrapped a fabric and messed things up so bad that I had to wipe everything and start over (multiple times..... *sad face*). That second condition I've used occassionally with TAC calls about faults where it won't join the fabric, usually ending in RMA.
I've also used the console during system upgrades:
To answer @vv0bbLeS original question: default login is admin, with no password, but as discovered the moment it joins a fabric it takes on the fabric credential profile.
04-07-2021 02:49 PM
The console login credentials would be the same as you'd login via SSH (typically your admin user account). However you login to your APIC, that's how you'd login to your switch. The only other possible challenge you might have is if you are using multiple login realms (remote auth) and your switch can't reach the AAA server to authenticate you. Is "local" auth is set as the default realm?
From your APIC CLI provide the output:
moquery -c aaaConsoleAuth
I still highly recommend always connecting console ports - in the event the switch fails to boot, or goes into Loader prompt, you have a means to recover it. The mgmt interface requires the switch be fully booted to access, so having this console backdoor serves an important failsafe.
Robert
04-07-2021 02:57 PM - edited 04-07-2021 02:58 PM
@RedNectar and @Robert Burns thank you all for your responses!
Robert, please see below for the output of the moquery command given. And I did try my regular SSH credentials but it did not accept them. Perhaps I was doing something wrong - I will try it again. And yes the Console Port would be used in a scenario that the OOB management network is down and the switch is otherwise unreachable, and in such a scenario I would also want to assume that my AAA server is unreachable also (if AAA is unreachable, what credentials would I use for the leaf Console Port? ). Thanks again!
apic1# moquery -c aaaConsoleAuth Total Objects shown: 1 # aaa.ConsoleAuth annotation : childAction : descr : dn : uni/userext/authrealm/consoleauth extMngdBy : lcOwn : local modTs : 2017-02-06T04:10:45.507-05:00 name : nameAlias : ownerKey : ownerTag : providerGroup : realm : local rn : consoleauth status : uid : 0
04-07-2021 03:13 PM
Have you tried accessing from multiple workstations? Sometimes win/Mac workstations play funny with keyboard strokes via console servers. Your config looks good. My suspicious is either your terminal window/app or your console server doing something with the keystrokes. Are you copying & pasting your credentials or entering them manually?
Try a different workstation or a different terminal app (Putty/SecureCRT) etc.
Also provide the output of:
moquery -c aaaLoginDomain
Just to confirm, this switch is successfully joined (discovered & active) in your fabric?
Robert
04-08-2021 08:58 AM
Robert, thanks. I was able to figure it out. I had to use the local admin username and password that we had set on the APIC. Learned something new!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide