10-21-2018 07:34 PM - edited 03-01-2019 08:50 AM
Hello, we have a 385024TS on our network using ACS and ISE.
Edges authenticate through ISE and administrator users authenticate through ACS right now.
We attempted to access the 3850 from the CLI while the switch was connected to the network/AAA server.
At the console prompt at login we were greated with "password".
Not "username" as we expected to see.
We disconnected and reloaded the switch so it should not be looking for the AAA server or the ISE server; however, we got the same request for "password".
Each time we entered our enable password or the secret password but no luck.
Since it's not asking for a user name we suspect it's asking for the local admin password configured on the switch.
Has anyone run into this issue before?
I have but usually after disconnecting from the network I regain control and I am asked for username/password.
ej
10-21-2018 08:26 PM
Hi,
What is the aaa configuration of line console 0?
Thanks
John
10-22-2018 06:55 PM
the vty lines aren't added but have password configurations.
the console doesn't
Line con 0
no access-class (std acl number) in
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication default
!
10-24-2018 03:52 AM
Hi,
What is the aaa configuration? i.e.
aaa authentication login XXX
aaa authentication enable XXX
Thanks
John
10-24-2018 03:21 PM
We recently deployed dot1x on all our switches; however, this issue has occurred in the past on random switches.
It has affected 3750X's as well as 3850's.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group <ISE cfg>
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group < ISE cfg>
aaa accounting update newinfo periodic <value>
aaa accounting dot1x default start-stop group <ISE cfg>
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide