Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11196
Views
0
Helpful
5
Replies

My console port asks for username/password when I need to get into the enable mode.

dtran
Level 1
Level 1

‎05-17-2016 05:45 PM - edited ‎03-10-2019 11:47 PM

Hello,

At the console port, I can access the first level of password with the local password.  However, as soon as I type enable, the switch asks me for a username/password.  As it turns out,  the username/password that allows me into the switch in the enable mode is from my tacacs server.  So, I am assuming that this is an AAA configuration issue?  I would like the console port to be set up only to use the local password for both the first level and the enable password.  I don't want it to  use tacacs whether it is connected to not connected to the network.

I tried to configure the command for local password on the console port but the switch won't let me:

O1S-3(config)#line con 0

O1S-3(config-line)#login local

                         ^

% Invalid input detected at '^' marker.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Here is the AAA configuration

O1S-3#sho run | in aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login con-auth line none
aaa authentication login VTYLINE line
aaa authentication login NULL none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ none
aaa session-id common

!

!

tacacs-server host 168.125.70.98
tacacs-server timeout 4
tacacs-server directed-request
tacacs-server key 7 000D1E16015A080E0224425A
radius-server source-ports 1645-1646
!

O1S-3#

************************************************************************************

Here is my console and vty configuration:

!
line con 0
 exec-timeout 0 0
 timeout login response 45
 password good2go
 login authentication con-auth
line vty 0 4
 session-timeout 5
 exec-timeout 0 0
 password good2go
line vty 5 15
 session-timeout 5
 exec-timeout 2 0
 password good2go
 login authentication NULL
!

************************************************************************

O1S-3#sho ver
Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 30-Aug-05 15:47 by yenanh

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SE1, RELEASE SOFTWARE (fc)

 O1S-3 uptime is 5 hours, 59 minutes
System returned to ROM by power-on
System restarted at 18:36:32 UTC Tue May 17 2016
System image file is "flash:c3750-ipbase-mz.122-25.SEB4/c3750-ipbase-mz.122-25.SEB4.bin"

cisco WS-C3750G-24PS (PowerPC405) processor (revision C0) with 118784K/12280K bytes of memory.

Labels:
0 Helpful
5 Replies 5

agapitca19
Level 1
Level 1

‎05-19-2016 05:05 AM

Dtran,

Try removing the command login authentication con-auth in line con 0 then add the command login local.

***If you find you find the comment helpful, please rate and mark it correct. Thanks***

0 Helpful

dtran
Level 1
Level 1
In response to agapitca19

‎05-19-2016 04:54 PM

Thank you for your reply.  the problem is that when I tried to use the "login local" command, the switch won't let me and generated an error.  Please see below:

O1S-3#
O1S-3#config t
Enter configuration commands, one per line.  End with CNTL/Z.
O1S-3(config)#line con 0
O1S-3(config-line)#no login authentication con-auth
O1S-3(config-line)#login local 
                         ^
% Invalid input detected at '^' marker.

O1S-3(config-line)#login ?
  authentication  Authentication parameters.

O1S-3(config-line)#login authen ?
  WORD     Use an authentication list with this name.
  default  Use the default authentication list.

O1S-3(config-line)#login authen

0 Helpful

agapitca19
Level 1
Level 1
In response to dtran

‎05-20-2016 04:52 AM

Try the commands below. aaa new-model is enabled, it changes the way vty lines and line console require authentication, which is through aaa commands.

Add the command aaa authentication login CONSOLE local

Add the command login authentication CONSOLE in line console 0.

HTH

***If you find the comment helpful, please rate and mark it correct. Thanks***

0 Helpful

dtran
Level 1
Level 1
In response to agapitca19

‎05-23-2016 10:45 AM

Thank you for your help.  I configured the switch as you suggested and the problem remains.  When I tried to console in, it asks me for the username/password.  As it turns out, the username/password is to my tacacs server.  I would like for the console port to be logged in via the local password only.

Here are my AAA configuration on the switch:

O1S-3#sh run | b aaa
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login con-auth line none
aaa authentication login VTYLINE line
aaa authentication login NULL none
aaa authentication login CONSOLE local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ none
!
aaa session-id common

!
line con 0
 exec-timeout 0 0
 timeout login response 45
 password good2go
 login authentication CONSOLE

line vty 0 4
 session-timeout 5
 exec-timeout 0 0
 password good2go

0 Helpful

agapitca19
Level 1
Level 1
In response to dtran

‎05-24-2016 01:42 PM

When you said local password for the line console 0, do you mean the password you assigned in line con 0 or from local username and password?

Remove default method list:

delete aaa authentication login default group tacacs+ line

To use password assigned to line con 0:

delete aaa authentication login CONSOLE local

add aaa authentication login CONSOLE line

retain login authentication CONSOLE in line con 0

To use local username and password:

create local username and password on the switch

delete aaa authentication login CONSOLE line

add aaa authentication login CONSOLE local

retain login authentication CONSOLE in line con 0

You already have in your configuration the command aaa authentication login VTYLINE line but not applied to vty lines. Also, in your first post, command aaa authentication login NULL none was applied to vty lines, which I would suggest to remove that if it's still applied and apply login authentication VTYLINE.

What I would normally do is create method list for console and vty lines authentication that will first use tacacs+(whether in Active Directory or local account in tacacs server) then when the tacacs server is down or could not communicate then it will fall back to local username & password set on the switch and if that's not available too(which will be odd) then either enable or line(vty and console) password set on the switch will be used. 

HTH

***If you find the comment helpful, please rate and mark it correct. Thanks***



0 Helpful
Customers Also Viewed These Support Documents