Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15544
Views
16
Helpful
3
Replies

Cant enter enable mode after TACACS+ basic configuration - % Error in authentication

Go to solution
prabhatei7
Level 1
Level 1

‎01-23-2020 01:58 AM


Hello,

I have recently tried to configure TACACS+ on one of my Cisco switch WS-C3850-48T through remote login. After configuration I logged out of the switch and later when I was trying to login again it was showing enable password error. We have never set any enable password.

Below is the config done:-

aaa new-model
tacacs-server host 10.xx.xx.xx
tacacs-server key XXXXXXX
aaa authentication login default group tacacs+ local
line vty 0 15
login authentication default

Now today when I am again trying to login its now showing "% error in authentication". Yesterday it was giving enable password prompt but today its not even giving us password prompt. We have switched off our TACACS+ server and still not getting enable password prompt. Our environment is setup in a way that in every switch it doesnt asks for enable password.

Switch01>enable
% Error in authentication.

Now we just want to remove the above done configuration. Please suggest in order to resolve the above issue. And please let us know if there is any other solution apart from console login and how to do it ?config.PNG

error in authentication.png

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to prabhatei7

‎09-30-2020 06:44 AM

The "error in authentication" issue is related to authorization not being configured.  You configured aaa authentication but you also have to configure authorization so the switch knows what privilege level to put the user into.  The command you need is the "aaa authorization exec" method list.  You can point that to TACACS as well and just make sure your policy in ISE is returning an appropriate privilege level such as 15.

View solution in original post

3 Replies 3

Go to solution
andrewswanson
Level 7
Level 7

‎01-23-2020 04:31 AM

Hi

 

If you can't access the switch terminal and have snmp enabled, you can try using "snmpset" to upload a new startip-config to the switch and then reload it.

 

Details are here:

 

https://www.ciscozine.com/send-cisco-commands-via-snmp/

 

I've used snmpset in the past to reload switches - only catch was that the soucre ip used to send the command must be permitted in any snmp acl on the switch.

 

hth
Andy

Go to solution
prabhatei7
Level 1
Level 1
In response to andrewswanson

‎09-30-2020 06:27 AM

Hi Andy,

 

Thank you for your swift response.

 

I just wanted to know that will I be able to use the command without enable mode. Because I'm not able to get into enable mode since I have configured tacacs on it.

 

I dont know why it's not allowing me to enter into enable mode and all passwords are failing.

 

I m able to login to the device but when I'm trying to get into enable mode it's not accepting any password. I just wanted to reload it because I have not saved the configuration for tacacs+ 

 

Switch is running fine and only problem is enable mode 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to prabhatei7

‎09-30-2020 06:44 AM

The "error in authentication" issue is related to authorization not being configured.  You configured aaa authentication but you also have to configure authorization so the switch knows what privilege level to put the user into.  The command you need is the "aaa authorization exec" method list.  You can point that to TACACS as well and just make sure your policy in ISE is returning an appropriate privilege level such as 15.

Customers Also Viewed These Support Documents