Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6165
Views
0
Helpful
3
Replies

Unable to login to console

Dean Crook
Level 1
Level 1

‎02-14-2012 07:20 AM - edited ‎03-10-2019 06:49 PM

Hi I've noticed a strange problem I think it's quite recent but cannot highlight what may have caused it.

I am unable to login to the console port on all devices that ive currently check on my network. I can SSH no problems.

I hit return when asked and it fails to authenticate 3 times with a blank username.

This gets failed by ACS because the blank user has no service selection rule.

I have run debug tacacs on a C4506e 12.2(44r)SG9

Feb 14 14:54:14.469: TPLUS: Queuing AAA Authentication request 179 for processing

Feb 14 14:54:14.469: TPLUS: processing authentication start request id 179

Feb 14 14:54:14.469: TPLUS: Authentication start packet created for 179()

Feb 14 14:54:14.469: TPLUS: Using server x.x.x.x

Feb 14 14:54:14.469: TPLUS(000000B3)/0/NB_WAIT/205AAD70: Started 5 sec timeout

Feb 14 14:54:14.469: TPLUS(000000B3)/0/NB_WAIT: socket event 2

Feb 14 14:54:14.469: TPLUS(000000B3)/0/NB_WAIT: wrote entire 29 bytes request

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: socket event 1

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: Would block while reading

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: socket event 1

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: socket event 1

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: read entire 18 bytes response

Feb 14 14:54:14.469: TPLUS(000000B3)/0/205AAD70: Processing the reply packet

Feb 14 14:54:14.469: TPLUS: Received authen response status FAIL (3)

If I remove authentication from the line con 0 then i can connect.

Config

aaa new-model

!

!

aaa authentication login ADMIN group tacacs+ local

!

aaa session-id common

!

line con 0

login authentication ADMIN

stopbits 1

Any help would be appreciated.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

camejia
Level 3
Level 3

‎02-14-2012 08:33 AM

Hello Dean,

You might be running on either of the two following known issues:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw79561

CSCsw79561            Bug Details

DROPACCTFAIL: System Accounting fails with tacacs

Symptom:

On affected switches, the switch is slow to respond to login requests after reboot, displaying
a repeated message of

% Authentication failed

while not allowing entry of the username for authentication.  This problem fixes itself within
minutes, but during the first few minutes of boot, login via telnet or console is impossible.

"show log" output from the same time period will show:

%AAA-3-DROPACCTFAIL: Accounting record dropped, send to server failed:
system


Conditions:

External accounting enabled for system events such as:

aaa accounting system default start-stop group tacacs+

Workaround:

Wait for a few minutes after a reboot or restart event prior to telnetting into the switch.


Further Problem Description:

Symptoms are the same as those described in CSCsk50769.

Or

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx07352

CSCsx07352            Bug Details

Console stuck with "authentication failed" on save & reload for sys acco

Symptom:
With 'aaa accounting' and 'aaa authen' configured on a switch, we are unable to login to the switch at all.
Also, it's possible the switch will hang on issue of 'reload' from the CLI.

Conditions:
The two conditions must be met:

- AAA accounting must be configured
- AAA authentication must be configured

Workaround:
Disable 'AAA accounting' configuration

If this was helpful please rate.

Regards.

0 Helpful

camejia
Level 3
Level 3

‎02-14-2012 08:36 AM

Hello,

If matching the first bug you can also configure the IOS AAA command:

aaa accounting system guarantee-first

The above command explanation:

The aaa accounting system guarantee-first command guarantees system accounting as the
first record, which is the default condition. In some situations, users may be prevented
from starting a session on the console or terminal connection until after the system
reloads, which can take more than three minutes.

To establish a console or telnet session with the router if the AAA server is unreachable
when the router reloads, use the no aaa accounting system guarantee-first command.

Regards.
0 Helpful

Dean Crook
Level 1
Level 1
In response to camejia

‎02-14-2012 08:56 AM

Thanks for your response but none of the above match the problem.

I do not have any accounting configured.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents