cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2624
Views
0
Helpful
6
Replies

Unable to telnet Aironet 1131AG

steve.prescott
Level 1
Level 1

I have the same problem on a number of Access Points....

aaa authentication login TELNET group tacacs+ line

line vty 0 4

access-class 12 in

exec-timeout 4 0

password 7 03065A091F0D205F5D051C11

login authentication TELNET

When the TACACS server is reachable all is fine, and I can login by entering username/.password in TACACS.

However, when the TACACS server is not reachable, it should enable me to login using the line password.

This does not work...

User Access Verification

Password:

% Authorization failed.

The exact same config works fine on all my switches and routers.

DEBUG TACACS AUTHENITCATION and DEBUG TELNET shows...

000041: Aug 11 13:36:12: Telnet1: 1 1 251 1

000042: Aug 11 13:36:12: TCP1: Telnet sent WILL ECHO (1)

000043: Aug 11 13:36:12: Telnet1: 2 2 251 3

000044: Aug 11 13:36:12: TCP1: Telnet sent WILL SUPPRESS-GA (3)

000045: Aug 11 13:36:12: Telnet1: 80000 80000 253 24

000046: Aug 11 13:36:12: TCP1: Telnet sent DO TTY-TYPE (24)

000047: Aug 11 13:36:12: Telnet1: 10000000 10000000 253 31

000048: Aug 11 13:36:12: TCP1: Telnet sent DO WINDOW-SIZE (31)

000049: Aug 11 13:36:12: TPLUS: Queuing AAA Authentication request 8 for processing

000050: Aug 11 13:36:12: TPLUS: processing authentication start request id 8

000051: Aug 11 13:36:12: TPLUS: Authentication start packet created for 8()

000052: Aug 11 13:36:12: TPLUS: Using server 192.168.100.30

000053: Aug 11 13:36:12: TPLUS(00000008)/0/NB_WAIT/1191F4C: Started 5 sec timeout

000054: Aug 11 13:36:17: TPLUS(00000008)/0/NB_WAIT/1191F4C: timed out

000055: Aug 11 13:36:17: TPLUS(00000008)/0/NB_WAIT/1191F4C: timed out, clean up

000056: Aug 11 13:36:17: TPLUS(00000008)/0/1191F4C: Processing the reply packet

000057: Aug 11 13:36:17: TCP1: Telnet received WILL TTY-TYPE (24)

000058: Aug 11 13:36:17: Telnet1: Sent SB 24 1

000059: Aug 11 13:36:17: TCP1: Telnet received WILL SUPPRESS-GA (3)

000060: Aug 11 13:36:17: TCP1: Telnet sent DO SUPPRESS-GA (3)

000061: Aug 11 13:36:17: TCP1: Telnet received DO SUPPRESS-GA (3)

000062: Aug 11 13:36:17: TCP1: Telnet received WILL TTY-LOCATION (23) (refused)

000063: Aug 11 13:36:17: TCP1: Telnet sent DONT TTY-LOCATION (23)

000064: Aug 11 13:36:17: TCP1: Telnet received WILL WINDOW-SIZE (31)

000065: Aug 11 13:36:17: TCP1: Telnet received DO ECHO (1)

000066: Aug 11 13:36:17: Telnet1: recv SB NAWS 132 48

000067: Aug 11 13:36:17: Telnet1: recv SB 24 0 VT500

000068: Aug 11 13:36:17: TCP1: Telnet received WONT TTY-LOCATION (23)

Any ideas?

6 Replies 6

Rollin Kibbe
Cisco Employee
Cisco Employee

Hi Scott:

Nice job on including your debugs! (We might end up needing more config, though).  The line

000062: Aug 11 13:36:17: TCP1: Telnet received WILL TTY-LOCATION (23) (refused)

is probably where the trouble's coming in.   "Access-class 12 in" is pretty scary since we can't see what access-list 12 looks like.  Does it work without that?

The other thing is perhaps TTY lines are used up or not releasing as expected.  What's the output of "show line" look like?

Depending on the outcome of these, you might end up opening a TAC service request to see if this is a bug or what.

Sincerely,

Rollin Kibbe

Network Management Systems Team

Hi Rollin,

Thanks for the response.

Access-list 12 simply permits the subnet I am telnetting from.  I know this is ok otherwise it wouldnt work when TACACS is available

I get the same problem even if I remove the access-class 12 in from the vty line.

#sh line

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

0 CTY - - - - - 0 0 0/0 -

* 1 VTY - - - - 12 10 0 0/0 -

2 VTY - - - - 12 0 0 0/0 -

3 VTY - - - - 12 0 0 0/0 -

4 VTY - - - - 12 0 0 0/0 -

5 VTY - - - - 12 0 0 0/0 -

Interestingly though, if I change it to SSH I can connect. It appears to be a problem with TELNET access, although an identical config works on all my switches and routers - it appears to be a problem with the Access Points.

Steve

   AP's come with  a default username and password on them , it may be trying to use that .  If you are going to use the line and enable secret password  delete the default userrname and password in the config .

Already deleted Glen. In any case, it doesnt prompt for Username when TACACS is unavailable.

Steve

Rollin Kibbe
Cisco Employee
Cisco Employee

Hi Steve:

Then it's probably time to get it into TAC and get a service request opened on it.  Someone can recreate this in the lab and determine whether this is a bug.

Sincerely,

Rollin Kibbe

Network Management Systems Team

Ok thanks for your help Rollin.

I'll raise a TAC case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco