Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2887
Views
0
Helpful
10
Replies

Disabling AAA won't let me login via local username and password

joshipiyush
Level 1
Level 1

‎02-21-2021 12:04 AM

Hello  ALl,

please can someone help me with this issue. I tried to configure a local username and password and tried to login via this, after disabling AAA (reachability is removed via firewall to TACACS servers via a deny rule ).

Whenever iam trying to login to switch using local username and password it says access denied. I am getting the prompt for login but password doesn't work.

 

aaa group server tacacs+ XXX-AAA
server name -ISE01
server name ISE01
server name ACS01
!
aaa authentication login default group XXX-AAA local
aaa authentication enable default group XXX-AAA enable
aaa authorization config-commands
aaa authorization exec default group XXX-AAA none
aaa authorization commands 0 default group XXX-AAA none
aaa authorization commands 1 default group XXX-AAA none
aaa authorization commands 15 default group XXX-AAA none
aaa accounting exec default start-stop group XXX-AAA
aaa accounting commands 0 default start-stop group XXX-AAA
aaa accounting commands 1 default start-stop group XXX-AAA
aaa accounting commands 15 default start-stop group XXX-AAA

 

Can someone help me why my password is not getting excepted even after carefully entering the same

Labels:
0 Helpful
10 Replies 10

TJ-20933766
Spotlight
Spotlight

‎02-21-2021 12:35 AM - edited ‎02-21-2021 12:39 AM

Use the following commands to see what is going on with the device:

terminal monitor
debug tacacs
debug aaa authentication

Please try logging in again and post the output from the above debugs

0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎02-21-2021 12:43 AM

 

 - You may need this instead : aaa authentication login default group local XXX-AAA

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

joshipiyush
Level 1
Level 1
In response to marce1000

‎02-21-2021 06:10 AM

Sorry it doesn't take local option after default group.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-21-2021 02:15 AM

I am thinking for some reason the device still able to get and try to authenticate with TACACS - may be session still established (not sure what FW is this ?)

 

 A couple of questions :

 

1. Have you tested the Local username and password working before enabling AAA Service?

2. best way is to test fallback is, change the Key at the TACACS side (here i am guessing ISE or ACS).

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul driver
VIP
VIP

‎02-21-2021 04:23 AM - edited ‎02-21-2021 04:27 AM

Hello
if you have disabled AAA then the device won’t be trying to use any tacacs server but if you’ve just denied access to the tacacs server then @balaji.bandi suggestion is very possible.

if you have disabled aaa then unless you configured the vty lines (login local) to accept local user credentials you won’t gain access.

You may have perform a password recovery or if you didnt save your changes reload the device 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

joshipiyush
Level 1
Level 1

‎02-21-2021 05:50 AM

Hello All,

Thank you for your suggestion. I just created a rule on PAN firewall which has denied access to source ip of switch to TACACS server which is my ISE.

Now in this case when I tried to login locally to the switch using local username and password then I got access denied. Yes I believe this was never tested before as I m pretty sure that this wouldn't have worked earlier also. I created a new Test username and tried to login with that, also I tried to use the previously configured useranme Admin which also didnt work which means this was not tested earlier and woud have never worked.

0 Helpful

joshipiyush
Level 1
Level 1
In response to joshipiyush

‎02-21-2021 05:55 AM

This is my Prod switch so difficult to play around with trying different options. Also there is no login local option which i tried to see earlier before posting

 

Switch(config-line)#login ?
authentication Authentication parameters.

SWITCH(config-line)#login auth
SWITCH(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

SWITCH(config-line)#login authentication

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to joshipiyush

‎02-21-2021 06:32 AM

If you have not tested Local user, never write configuration,(otherwise, lock yourself) - make sure you created a username with right priv 15.

 

to guide you on the right path, please post what is this device? and show run ( relevant config of AAA and VTY Lines config)

 

#login authentication default  - is the command.

 

Another note: we see there is 3 Servers configured in the group, you also have ACS config, so make sure your FW all blocked.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

joshipiyush
Level 1
Level 1
In response to balaji.bandi

‎02-21-2021 06:57 AM

Hello Balaji,

please see below, i m now testing this on 9300 Dublin device, earlier it was for PALO ALTO locaiton and deivce was 3850 cisco IOS switch

 


aaa new-model
!
!
aaa group server tacacs+ XXX-AAA

 


server name XXX-ISE01
server name XXX-ISE01
!
aaa authentication login default group XXX-AAA local
aaa authentication enable default group XXX-AAA enable
aaa authorization config-commands
aaa authorization exec default group XXX-AAA none
aaa authorization commands 0 default group XXX-AAA none
aaa authorization commands 1 default group XXX-AAA none
aaa authorization commands 15 default group XXX-AAA none
aaa accounting exec default start-stop group XXX-AAA
aaa accounting commands 0 default start-stop group XXX-AAA
aaa accounting commands 1 default start-stop group XXX-AAA
aaa accounting commands 15 default start-stop group XXX-AAA

 

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 65 C9300-48UXM 16.12.4 CAT9K_IOSXE INSTALL

 

 

line vty 0 4
access-class VTY in

============================================================================

PALO ALTO SWItch was cisco WS-C4510R+E  (US Locaiton)

line vty 0 4
session-timeout 5
access-class VTY in

AAA commands are exactly same for both switches

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to joshipiyush

‎02-21-2021 07:22 AM

Both look the same is this typo?

 

server name XXX-ISE01
server name XXX-ISE01

 

access-class VTY in    - can you post more information.

 

do you have a local user account? with what priv ?

 

line vty 0 4  - we did not see full config? how your login configured ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents