After configuring aaa and tacacs configurations on a switch, it now asks for a username and password...

F Martinez · ‎12-07-2018

After configuring aaa and tacacs configurations on a switch, it now asks for a username and password if even I did not configure a username and password. Please see aaa configurations below.

aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization exec console none
aaa authorization commands 15 default group tacacs+ local

Please advise if anyone encountered this scenario before and how it was resolved. Is this a normal behavior?

I'm thinking to just do a password recovery.

Richard Burts · ‎12-07-2018

Yes this is the normal and expected behavior. The explanation is slightly different in detail depending on whether you are attempting access via telnet/ssh or via console.

If you are attempting access via telnet/ssh then this command comes into play

aaa authentication login default group tacacs+ local

It specifies that if someone attempts access using telnet or ssh the default authentication is to use the tacacs server, and if the server is not available then to use a locally configured user id and password. In either case the result is to prompt for a user id and a password.

If you are attempting access via console then this command comes into play

aaa authentication login console local

It specifies that if someone attempts access using console to authenticate using a locally configured user id and password.

So in either case the result is to prompt for a user id and password.

If you were to change either of the commands and instead of specifying local would specify line, then the result would be to authenticate with the configured line passwords and not prompt for user id. (note that for access via telnet/ssh the primary method is still to use tacacs and it will prompt for user id and password. The only time that telnet and ssh would use the line password is if the tacacs server is not available).

HTH

Rick

HTH

Rick

balaji.bandi · ‎12-08-2018

If you are TACACS/RADIUS not ready with username and password yet, remove this device from TACACS/RADIUS device list, so you can access with local accounts.

when you are ready with TACACS/RADIUS, then enable back to authentication so you can have role based access system place ( it all depends on requirement).

For now you do not require to have password recovery, this is normal follow above steps you back with local username and password access.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

F Martinez · ‎12-14-2018

If you are TACACS/RADIUS not ready with username and password yet, remove this device from TACACS/RADIUS device list, so you can access with local accounts.

when you are ready with TACACS/RADIUS, then enable back to authentication so you can have role based access system place ( it all depends on requirement).

Liked I said, I did not configure a username and password. How can I bypass the username and password prompt when I connect to the device via console?

Also, please take note that the device is not reachable via SSH as it's not configured with SSH yet.

Thanks!

balaji.bandi · ‎12-14-2018

Can you post your device full configuration

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎12-15-2018

The original poster asks how to bypass the prompt for username and password wen using the console. I tried to address that in my previous response. But apparently was not clear enough. So let me try again. The current configuration specifies to use local authentication on the console

aaa authentication login console local

local authentication will prompt for a user name and password. And if there is not a configured user name and password then authentication on the console will fail. To bypass this change the configuration to

aaa authentication login console line

and it will use the configured line password and not prompt for user name.

HTH

Rick

HTH

Rick

F Martinez · ‎12-23-2018

Problem is, I can't even login to the switch via console as it is already asking for a username and password.

Richard Burts · ‎12-24-2018

Here are some options that you can try to use to resolve your issue. I would try them in this order:

1) If you can not log in using console can you successfully login using telnet? If so then telnet to the switch and change the configuration.

2) If configuration changes were made but were not saved to startup then power cycling the switch may return it to a state where you can login and make the changes that you need.

3) If neither of these work for you then the last alternative is to perform password recovery for your switch. That will bypass the current configuration, allow you to login on the switch, and then to restore the config and make appropriate changes. The details of how to perform password recovery vary depending on which switch you have.

HTH

Rick

HTH

Rick

F Martinez · ‎12-26-2018

1) If you can not log in using console can you successfully login using telnet? If so then telnet to the switch and change the configuration.

-I cant login to the switch using telnet either.

2) If configuration changes were made but were not saved to startup then power cycling the switch may return it to a state where you can login and make the changes that you need.

-Configuration was already saved.

3) If neither of these work for you then the last alternative is to perform password recovery for your switch. That will bypass the current configuration, allow you to login on the switch, and then to restore the config and make appropriate changes. The details of how to perform password recovery vary depending on which switch you have.

-This would probably the best option that I have.

Thanks so much for all your help!