Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
7
Replies

local username does not work when management interface is down

dwsmithjr
Level 1
Level 1

‎04-08-2016 10:24 AM - edited ‎03-10-2019 11:39 PM

On switches when the management interface is down (vlan1), we cannot login from the console using the local username and password. if the management interface is up but TACACS is not available, it works fine for a vty interface. If you connect to console and TACACS is available, the TACACS login for course works and local does not.

We need to be able to use the command "username xxx secret" and be able to login when connected to the console port when TACACS is not available or the management interface is down, using the local username and password.

Labels:
0 Helpful
7 Replies 7

Javier Henderson
Level 4
Level 4

‎04-08-2016 10:30 AM

Can you please post the AAA configuration on your switch?

Javier Henderson

Cisco Systems

0 Helpful

dwsmithjr
Level 1
Level 1
In response to Javier Henderson

‎04-08-2016 10:33 AM

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo

username XXX secret XXXXXX

0 Helpful

Javier Henderson
Level 4
Level 4
In response to dwsmithjr

‎04-08-2016 10:40 AM

We will need more to go further, for example, do you have VLAN 1 as the source for TACACS+ packets?

When I said the AAA configuration, I meant everything related to it.

Javier Henderson

Cisco Systems

0 Helpful

dwsmithjr
Level 1
Level 1
In response to Javier Henderson

‎04-08-2016 11:35 AM

Yes, Vlan1 is the TACACS source interface. I'll gather the rest of the configuration information relating to TACACS. We are able to login with the local account when we connect remotely using a vty interface (SSH) and TACACS is not available. That works fine.

We cannot login using the console interface when the router is disconnected from the network, say when it is being initially configured, has been rebooted and the tech is trying to reconnect through the console port. So, the management interface or vlan is down.

0 Helpful

dwsmithjr
Level 1
Level 1
In response to dwsmithjr

‎04-08-2016 11:38 AM

Here is the scenario. A tech is configuring a switch to be deployed to a location using the console port. They add the configuration which includes "username XXX secret XXXXXXX. They then save the configuration and reboot the switch. The switch is not connected to any network at this point.

When the switch comes up, they attempt to login again through the console port and cannot authenticate. The login is denied.

Vlan1 is the management interface and the TACACS source interface.

0 Helpful

dwsmithjr
Level 1
Level 1
In response to Javier Henderson

‎04-11-2016 04:59 AM

Let me know if you need anything else.

aaa group server tacacs+ ACS53
 server name XXX
 server name XXX

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo

aaa session-id common

interface Vlan1
 description <Serial number and Asset tag>
 ip address <INSERT SWITCH IP ADDRESS> xxx.xxx.xxx.0
 no ip redirects
 no ip unreachables
 no ip route-cache
 no shut

 ip tacacs source-interface Vlan1
 
tacacs-server timeout 20
tacacs server XXX
 address ipv4 xx.xxx.xxx.xxx
 key 7 xxxxxxxxxxxxxxxx
tacacs server XXX
 address ipv4 xxx.xxx.xxx.xxx
 key 7 xxxxxxxxxxxxxxxx
tacacs-server directed-request

0 Helpful

dwsmithjr
Level 1
Level 1
In response to Javier Henderson

‎04-11-2016 11:15 AM

We've resolved the issue. It was a "user error" on the part of some of the people configuring the switches.

0 Helpful
Customers Also Viewed These Support Documents