08-18-2011 06:06 AM - edited 03-07-2019 01:46 AM
Hi,
i've a stack of two 3750-G, we configured enable password to Console access, but when we connect to slave switch, we're not asked for an enable password, therefore when we connect to master switch, we need this password to access to privilege mode.
Could you please give me a hand for this problem ?
IOS Version is c3750-ipbasek9-mz.122-53.SE1.bin
Thanks
Chems
08-18-2011 06:21 AM
Hi,
You should only configure the master. Once the master is configured, it will sync the config to other members. The stack logically looks as one switch.
HTH
08-18-2011 07:54 AM
Hello Chems,
Can you try this and let us know what happens:
- Connect console to master switch, get to enable mode
- Enter
3750G#
3750G#disable
3750G>
- Now connect the console to a member switch
Please let me know if you are asked for a password once you type in 'enable' on the member switch.
Regards,
Kapil
08-18-2011 12:18 PM
Hi,
Did you really get console access to slave stack switch ??
I doubt that you can get console access to the slve stack switches except master switch console.
Incase if you get it will show you as master console i believe............ THOUGHT I might be wrong....but i feel so...
When you console to the slave stack switch what was the hostname and prompt ?
Where those 2 stack really joined the stack and is NOT standalone now ?
Can you please confirm.
Thanks.
08-22-2011 12:51 AM
Hi,
first of all, thank you for your answers.
as you can see below, the stack is normally constructed, and no problems on it.
even when i do a disable command, no need to enable password when i connect to slave switch console, it's really bizarre.
SW_442503_A_1>en
Password:
SW_442503_A_1#sh switch
Switch/Stack Mac Address : e804.62c4.a480
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
1 Member ec44.7661.e680 1 0 Ready
*2 Master e804.62c4.a480 1 0 Ready
SW_442503_A_1#disable
SW_442503_A_1>
User Access Verification
Username:
Username: DPI3
Password:
SW_442503_A_1#sh switch
Switch/Stack Mac Address : e804.62c4.a480
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
1 Member ec44.7661.e680 1 0 Ready
*2 Master e804.62c4.a480 1 0 Ready
SW_442503_A_1#exit
Thanks you for your help
Regards
08-22-2011 02:53 AM
Hi,
when connecting to Slave console, the user is seen as vty session, and as i use a privilege 15 credential, it's normal that "no enable" password is asked.
But is it normal that console session from slave console is seen as vty session ???
Master session
Line User Host(s) Idle Location
* 0 con 0 DPI2 idle 00:00:00
1 vty 0 DSEM2 idle 00:01:44 127.0.0.3
Slave session
SW_442503_A_1#sh user
Line User Host(s) Idle Location
0 con 0 DPI2 idle 00:03:04
* 1 vty 0 DSEM2 idle 00:00:00 127.0.0.3
08-22-2011 06:10 AM
Hi,
According to http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCee92279
connecting to the console port on any slave switch in a stack and have it appear as if he/she is talking
directly to the stack master is accomplished by using an internal telnet session. So what, enable password is not asked for "privilege 15" credentials.
Is there any workaround for this problem ?
can i disable console ports on slave switchs ?
Thanks.
08-24-2011 06:05 AM
Can you provide us with the line con 0 and line vty configs along with the aaa configs?
08-24-2011 10:29 AM
Hi,
this is our config :
username toto privilege 15 secret *************
aaa new-model
aaa authentication login default group radius local-case
aaa authorization config-commands
aaa authorization exec default group radius local
aaa session-id common
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
Thanks
08-24-2011 10:44 AM
Hi,
This is an expected behavior. Please see the following defects which are closed, and not fixed.
CSCef19271 - Console authorization uses DEFAULT even though list is specified
CSCsw51727 - Slave 3750 uses incorrect aaa method over console.
If the user is connected to the console on a slave switch in the 3750 stack, the CLI session is redirected to the master switch using one of the 16 VTY lines. So the configuration on "line console 0" will work only if the user is connected to the console port of the master switch.
To ensure that console authorization works regardless of which console port the user is connected to, please apply the following configuration to all VTY lines in addition to line console 0. For example
line vty 0 15
authorization exec console
login authentication console
Best regards,
Andras
02-22-2017 06:47 AM
hello
when I configured those commands above I get an error.
AAA: Warning authorization list "console" is not defined for EXEC.
I have another group created but I get the same error when I replace "console" with my group name.
What AAA command am I missing?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide