04-08-2016 10:24 AM - edited 03-10-2019 11:39 PM
On switches when the management interface is down (vlan1), we cannot login from the console using the local username and password. if the management interface is up but TACACS is not available, it works fine for a vty interface. If you connect to console and TACACS is available, the TACACS login for course works and local does not.
We need to be able to use the command "username xxx secret" and be able to login when connected to the console port when TACACS is not available or the management interface is down, using the local username and password.
04-08-2016 10:30 AM
Can you please post the AAA configuration on your switch?
Javier Henderson
Cisco Systems
04-08-2016 10:33 AM
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo
username XXX secret XXXXXX
04-08-2016 10:40 AM
We will need more to go further, for example, do you have VLAN 1 as the source for TACACS+ packets?
When I said the AAA configuration, I meant everything related to it.
Javier Henderson
Cisco Systems
04-08-2016 11:35 AM
Yes, Vlan1 is the TACACS source interface. I'll gather the rest of the configuration information relating to TACACS. We are able to login with the local account when we connect remotely using a vty interface (SSH) and TACACS is not available. That works fine.
We cannot login using the console interface when the router is disconnected from the network, say when it is being initially configured, has been rebooted and the tech is trying to reconnect through the console port. So, the management interface or vlan is down.
04-08-2016 11:38 AM
Here is the scenario. A tech is configuring a switch to be deployed to a location using the console port. They add the configuration which includes "username XXX secret XXXXXXX. They then save the configuration and reboot the switch. The switch is not connected to any network at this point.
When the switch comes up, they attempt to login again through the console port and cannot authenticate. The login is denied.
Vlan1 is the management interface and the TACACS source interface.
04-11-2016 04:59 AM
Let me know if you need anything else.
aaa group server tacacs+ ACS53
server name XXX
server name XXX
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo
aaa session-id common
interface Vlan1
description <Serial number and Asset tag>
ip address <INSERT SWITCH IP ADDRESS> xxx.xxx.xxx.0
no ip redirects
no ip unreachables
no ip route-cache
no shut
ip tacacs source-interface Vlan1
tacacs-server timeout 20
tacacs server XXX
address ipv4 xx.xxx.xxx.xxx
key 7 xxxxxxxxxxxxxxxx
tacacs server XXX
address ipv4 xxx.xxx.xxx.xxx
key 7 xxxxxxxxxxxxxxxx
tacacs-server directed-request
04-11-2016 11:15 AM
We've resolved the issue. It was a "user error" on the part of some of the people configuring the switches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide