Re: Authentication failed after boot for 2 or 3 minutes

ppflaum12 · ‎10-31-2010

Anyone know why there is an %Authentication failed message that pops up for a couple minutes after reboot? Is there any way to get this to stop so you can login immediately after boot? I only seems to happen in newer IOS version anything older then a couple years does not get the message.

Thanks

-Patrick

Peter Paluch · ‎10-31-2010

Patrick,

Please provide more information about your issue - you surely understand that there is no reliable technical information in your current query to base an answer on.

What is the device and the IOS version?
What kind of authentication is used? TACACS+ or RADIUS?
How soon is the routing information available on the device and how is it obtained? How soon it is possible to contact the AAA server, obviously located in a different network?

Best regards,

Peter

ppflaum12 · ‎10-31-2010

we are using tacacs ... on a L2 switch. Management is on vlan 1

here is the HW/SW version

switch uptime is 2 years, 5 weeks, 1 day, 8 hours, 40 minutes

System returned to ROM by power-on

System restarted at 07:26:12 CDT Thu Sep 25 2008

System image file is "flash:c2960-lanbasek9-mz.122-44.SE2.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C2960G-48TC-L (PowerPC405) processor (revision A0) with 0K/4088K bytes of memory.

Processor board ID FOC1047X2QR

Last reset from power-on

1 Virtual Ethernet interface

48 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:1A:6C:4A:72:80

Motherboard assembly number : 73-10300-06

Power supply part number : 341-0098-02

Motherboard serial number : FOC104708Z8

Power supply serial number : AZS1044039H

Model revision number : A0

Motherboard revision number : B0

Model number : WS-C2960G-48TC-L

System serial number : FOC1047X2QR

Top Assembly Part Number : 800-27071-01

Top Assembly Revision Number : C0

Version ID : V01

CLEI Code Number : COM4A10BRA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 48 WS-C2960G-48TC-L 12.2(44)SE2 C2960-LANBASEK9-M

Configuration register is 0xF

switch#

Here is the aaa config

aaa new-model

!

aaa group server tacacs+ name

server x.x.x.x1

server x.x.x.x2

!

aaa authentication login default group name local

aaa authentication enable default group name group name enable

aaa accounting exec default start-stop group name

aaa accounting commands 0 default start-stop group name

aaa accounting commands 1 default start-stop group name

aaa accounting commands 15 default start-stop group name

aaa accounting connection default start-stop group name

aaa accounting system default start-stop group name

!

ppflaum12 · ‎10-31-2010

this can be duplicated on a 4510, 3750 etc ... or even if it is not connected to the network we see the issue ... that we can not login for 2 -3 minutes.

Peter Paluch · ‎10-31-2010

Patrick,

Thank you for your response. I am thinking of the transient connectivity issues that happen after the device ends booting up and the STP is not yet converged, the routing tables are not yet populated, etc. - these are the most probable causes.

Have you tried decreasing the timeout for the TACACS+ server so that the device does not try to connect for an overly long period of time? Try using the command

tacacs-server timeout 3

Also, are you using hostnames instead of IP addresses in your configuration? The DNS lookup may take quite a long time. You may also want to shorten it:

ip domain timeout 5

Best regards,

Peter

ppflaum12 · ‎10-31-2010

thanks for the info ... can you clarify why this happens? i.e. if I have the device configured for tacacs auth and boot it without connecting it to the network ... why do I have to wait to log into it?

Peter Paluch · ‎10-31-2010

Patrick,

To be completely honest, I don't know for sure what is happening or whether my suggestions will help for sure. I will get to the lab on Tuesday on the earliest, I can give it a try then. Unfortunately, till then, I am just trying to deduce some logical reason. I haven't ecountered a similar behavior yet but I've got to give it a try.

Best regards,

Peter

Leo Laohoo · ‎10-31-2010

Anyone know why there is an %Authentication failed message that pops up for a couple minutes after reboot?

Hi Patrick,

This is normal. I have about 500 switches in my network and every time the appliance reboots, I have to wait for approximately 3 minutes for AAA to kick in. Otherwise, I'm greeting this this :

Password:
Password authentication failed.
Please verify that the username and password are correct.
Password:

ppflaum12 · ‎10-31-2010

Thanks I appreciate the response ... now to find out why this is normal and if it can be turned off.

Peter Paluch · ‎10-31-2010

Leo,

Thanks. This issue is obviously above my comprehension

Best regards,

Peter

Leo Laohoo · ‎10-31-2010

This issue is obviously above my comprehension

Hi Peter,

That'll be a first!