Hello, we have a 385024TS on our network using ACS and ISE.
Edges authenticate through ISE and administrator users authenticate through ACS right now.
We attempted to access the 3850 from the CLI while the switch was connected to the network/AAA server.
At the console prompt at login we were greated with "password".
Not "username" as we expected to see.
We disconnected and reloaded the switch so it should not be looking for the AAA server or the ISE server; however, we got the same request for "password".
Each time we entered our enable password or the secret password but no luck.
Since it's not asking for a user name we suspect it's asking for the local admin password configured on the switch.
Has anyone run into this issue before?
I have but usually after disconnecting from the network I regain control and I am asked for username/password.
What is the aaa configuration of line console 0?
the vty lines aren't added but have password configurations.
the console doesn't
Line con 0
no access-class (std acl number) in
exec-timeout 9 0
privilege level 0
login authentication default
What is the aaa configuration? i.e.
aaa authentication login XXX
aaa authentication enable XXX
We recently deployed dot1x on all our switches; however, this issue has occurred in the past on random switches.
It has affected 3750X's as well as 3850's.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group <ISE cfg>
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group < ISE cfg>
aaa accounting update newinfo periodic <value>
aaa accounting dot1x default start-stop group <ISE cfg>
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common