cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9728
Views
0
Helpful
10
Replies

3750 Stack Console access Problem

cbouraoui
Level 1
Level 1

Hi,

i've a stack of two 3750-G, we configured enable password to Console access, but when we connect to slave switch, we're not asked for an enable password, therefore when we connect to master switch, we need this password to access to privilege mode.

Could you please give me a hand for this problem ?

IOS Version is c3750-ipbasek9-mz.122-53.SE1.bin

Thanks

Chems

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

You should only configure the master.  Once the master is configured, it will sync the config to other members. The stack logically looks as one switch.

HTH

kapathak
Cisco Employee
Cisco Employee

Hello Chems,

Can you try this and let us know what happens:

- Connect console to master switch, get to enable mode

- Enter

3750G#

3750G#disable

3750G>

- Now connect the console to a member switch

Please let me know if you are asked for  a password once you type in 'enable' on the member switch.

Regards,

Kapil

Hi,

Did you really get console access to slave stack switch ??

I doubt that you can get console access to the slve stack switches except master switch console.

Incase if you get it will show you as master console i believe............ THOUGHT I might be wrong....but i feel so...

When you console to the slave stack switch what was the hostname and prompt ?

Where those 2 stack really joined the stack and is NOT standalone now ?


Can you please confirm.

Thanks.

Hi,

first of all, thank you for your answers.

as you can see below, the stack is normally constructed, and no problems on it.

even when i do a disable command, no need to enable password when i connect to slave switch console, it's really bizarre.

SW_442503_A_1>en

Password:

SW_442503_A_1#sh switch

Switch/Stack Mac Address : e804.62c4.a480

                                           H/W   Current

Switch#  Role   Mac Address     Priority Version  State

----------------------------------------------------------

1       Member ec44.7661.e680     1      0       Ready              

*2       Master e804.62c4.a480     1      0       Ready              

SW_442503_A_1#disable

SW_442503_A_1>

User Access Verification

Username:

Username: DPI3

Password:

SW_442503_A_1#sh switch

Switch/Stack Mac Address : e804.62c4.a480

                                           H/W   Current

Switch#  Role   Mac Address     Priority Version  State

----------------------------------------------------------

1       Member ec44.7661.e680     1      0       Ready              

*2       Master e804.62c4.a480     1      0       Ready              

SW_442503_A_1#exit

Thanks you for your help

Regards

Hi,

when connecting to Slave console, the user is seen as vty session, and as i use a privilege 15 credential, it's normal that "no enable" password is asked.

But is it normal that console session from slave console is seen as vty session ???

Master session

    Line       User       Host(s)              Idle       Location

*  0 con 0     DPI2       idle                 00:00:00  

   1 vty 0     DSEM2      idle                 00:01:44 127.0.0.3

Slave session

SW_442503_A_1#sh user

     Line       User       Host(s)              Idle       Location

    0 con 0     DPI2       idle                 00:03:04 

*  1 vty 0     DSEM2      idle                 00:00:00 127.0.0.3

Hi,

According to http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCee92279

connecting to the console port on any slave switch in a stack and have it appear as if he/she is talking

directly to the stack master is accomplished by using an internal telnet session. So what, enable password is not asked for "privilege 15" credentials.

Is there any workaround for this problem ?

can i disable console ports on slave switchs ?

Thanks.

Can you provide us with the line con 0 and line vty configs along with the aaa configs?

Hi,

this is our config :

    username toto privilege 15 secret *************

    aaa new-model 

    aaa authentication login default group radius local-case 

    aaa authorization config-commands 

    aaa authorization exec default group radius local 

    aaa session-id common 

    line con 0

    line vty 0 4

    transport input ssh

    line vty 5 15

    transport input ssh

Thanks

andtoth
Level 4
Level 4

Hi,

This is an expected behavior. Please see the following defects which are closed, and not fixed.

CSCef19271 - Console authorization uses DEFAULT even though list is specified

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef19271

CSCsw51727 - Slave 3750 uses incorrect aaa method over console.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw51727

If the user is connected to the console on a slave switch in the 3750 stack, the CLI session is redirected to the master switch using one of the 16 VTY lines. So the configuration on "line console 0" will work only if the user is connected to the console port of the master switch.

To ensure that console authorization works regardless of which console port the user is connected to, please apply the following configuration to all VTY lines in addition to line console 0. For example

line vty 0 15

authorization exec console

login authentication console

Best regards,

Andras

hello

when I configured those commands above I get an error.

AAA: Warning authorization list "console" is not defined for EXEC.

I have another group created but I get the same error when I replace "console" with my group name.

What AAA command am I missing?

Review Cisco Networking for a $25 gift card