04-07-2005 01:18 AM - edited 03-10-2019 02:05 PM
Hi there,
After going through some topics and trying everything I could fine I am relaying on you all to help me further before I loose my mind. ;)
I have an Access Point for R&D and have configured several items for AAA, such as login in through the telnet interface with your useraccount from AD, accounting is being logged, etc etc. So far I am happy with it.
But, to have a backdoor into the device I need to be able to log on locally to the device using the console cable in case of an ACS server not being present. And this is not working for me.
I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:
Username: admin
Password:
AP-HOSTNAME>ena
Password:
% Error in authentication.
AP-HOSTNAME>
Pasted below you can find my current config regarding the login methods:
aaa authentication login default local group tac_admin group rad_admin
aaa authentication enable default group tacacs+ enable
aaa authorization exec default local group tac_admin group rad_admin
aaa accounting commands 15 default start-stop group tacacs+
I have tried to change this line
aaa authorization exec default local group tac_admin group rad_admin
into
aaa authorization exec default local group tac_admin group rad_admin if-authenticated
but it had no result...
Anybody any suggestions for me to try out?
04-07-2005 02:00 AM
Hi,
Try the following:
router(config)#aaa authentication login console local
router(config)#line con 0
router(config-line)#login authentication console
Rgds
Paddy
04-07-2005 03:57 AM
Hi,
Thanks for the answer. My config now looks like this...
aaa authentication login default local group tac_admin group rad_admin
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default local group tac_admin group rad_admin
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
dot11 phone
dot11 location isocc
line con 0
login authentication console
line vty 5 15
When I try to log in with the console cable I get the following error message when I switch to ENABLE mode.
User Access Verification
Username: admin
Password:
AP-HOSTNAME>ena
Password:
% Error in authentication.
AP-HOSTNAME>
04-12-2005 09:54 AM
I am not clear from these posts whether there is an enable password (or enable secret) configured or not. And I am not clear what password you are entering when you attempt to go into enable mode from the console.
I believe the crux of the problem is that aaa is specifying tacacs for authentication of enable. If you do have it working that your telnet session goes directly into privilege mode then I do not think that you need to point at tacacs for enable. I would suggest changing this:
aaa authentication enable default group tacacs+ enable
into
aaa authentication enable default enable
This should allow you to authenticate into privilege mode from the console using the enable password (which should be configured if it is not already configured).
HTH
Rick
07-11-2006 07:18 PM
Sniff the packets coming into your AAA server. You will notice, when going through the console, AAA is authenticating with a username of 'enable'. So, you need to make a AAA account for user 'enable'. I ran into the same problem when gonig through the console port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide