cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

307
Views
0
Helpful
3
Replies
Beginner

C3560CX Switch running config not stable when configuring TACACS

I have an issue with configuring TACACS on a switch (3560).  Whilst I configure it on vty lines 0 to 4, the config only appears on line vty 0.  Here is a capture of what I configure and what happens in the running config.  What I configure does not match what is stored in the config (I added the bold green  to highlight the lines of key interest).    

 

Switch>enable

Password:

Switch#show run | include aaa

aaa new-model

aaa authentication login AUTHEN_via_TACACS group tacacs+ local

aaa authorization exec Author-Exec_via_TACACS group tacacs+ local

aaa session-id common

Switch#show run | begin vty

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input none

!

!

!

pnp profile pnp_redirection_profile

transport http ipv4 127.0.0.1 port 80

end

 

>>>>>> What I configure.

Switch#config t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#line vty 0 4

Switch(config-line)#login authentication AUTHEN_via_TACACS

Switch(config-line)#^Z

Switch#

 

>>>>> TACACS appears to be active

Feb 20 01:56:46.569: %SYS-5-CONFIG_I: Configured from console by

!Comment

!Login from another terminal and TACACS login is active (but there is no TACACS

!server so it fails and default to local).

Feb 20 01:57:18.117: TPLUS: Queuing AAA Authentication request 119 for processing

Feb 20 01:57:18.121: TPLUS(00000077) login timer started 1020 sec timeout

Feb 20 01:57:18.121: TPLUS: processing authentication start request id 119

Feb 20 01:57:18.121: TPLUS: Authentication start packet created for 119()

Feb 20 01:57:18.121: TPLUS: Using server 192.168.1.250

Feb 20 01:57:18.121: TPLUS(00000077)/0/NB_WAIT/B8C1CA4: Started 5 sec timeout

Feb 20 01:57:21.119: TPLUS(00000077)/0/NB_WAIT: socket event 2

Feb 20 01:57:21.119: TPLUS(00000077)/0/NB_WAIT: write to 192.168.1.250 failed with errno 257((ENOTCONN))

Feb 20 01:57:21.119: TPLUS: Authentication start packet created for 119()

 

 

!Question

!I configured 'line vty 0 4' (see above), does anyone know why it ony

!configured vty 0  and not vty lines 1 to 4 as well?

 

>>> What the switch stores in running config.

Switch#show run | begin vty

line vty 0

login authentication AUTHEN_via_TACACS

transport input telnet ssh

line vty 1 4

transport input telnet ssh

line vty 5 15

transport input none

!

!

!

pnp profile pnp_redirection_profile

transport http ipv4 127.0.0.1 port 80

end

 

 

Switch#

 

Switch#show version

Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(4)E1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Thu 28-Jan-16 16:14 by prod_rel_team

 

 

ROM: Bootstrap program is C3560CX boot loader

BOOTLDR: C3560CX Boot Loader (C3560CX-HBOOT-M) Version 15.2(3r)E2, RELEASE SOFTWARE (fc2)

 

 

Switch uptime is 21 weeks, 6 days, 20 hours, 8 minutes

System returned to ROM by power-on

System restarted at 14:06:06 UTC Mon Sep 19 2016

System image file is "flash:/c3560cx-universalk9-mz.152-4.E1/c3560cx-universalk9-mz.152-4.E1.bin"

Last reload reason: power-on

 

 

 

I am having a number of problems with configuring TACACS on my switch (version and model included in session capture above). I have posted this question on the learning network, but have had no answers after several days.  Is anyone able to explain why only line vty 0 is configured and not vty 0 to 4?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Please try the following:

Please try the following:

Username cisco secret cisco

Enable secret cisco

aaa new-model

aaa authentication login network-access group tacacs+ local enable

aaa authentication enable default group tacacs+ enable       Comment (Do you prefer network-access, instead of default)

aaa authorization exec default group tacacs+ if-authenticated none

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

line con 0

login authentication network-access

exit

line vty 0 15

login authentication network-access

exit

tacacs-server host IP_Address key SNMP_String

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Please try the following:

Please try the following:

Username cisco secret cisco

Enable secret cisco

aaa new-model

aaa authentication login network-access group tacacs+ local enable

aaa authentication enable default group tacacs+ enable       Comment (Do you prefer network-access, instead of default)

aaa authorization exec default group tacacs+ if-authenticated none

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

line con 0

login authentication network-access

exit

line vty 0 15

login authentication network-access

exit

tacacs-server host IP_Address key SNMP_String

View solution in original post

Beginner

Hi Ahakels,

Hi Ahakels,

                  I configured the switch as you suggested and it works.  The vty lines retain the authentication command as configured.   I am still pondering this and trying to understand why this method works and the original configuration didn't.  If the penny eventually drops I'll update this post.

Switch>enable
Password:
Switch#show run | include aaa
aaa new-model
aaa authentication login network-access group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
Switch#show run | include line con 0
line con 0
Switch#show run | begin line con 0
line con 0
login authentication network-access
line vty 0 4
login authentication network-access
transport input telnet ssh
line vty 5 15
login authentication network-access
transport input none
!
!
!
pnp profile pnp_redirection_profile
transport http ipv4 127.0.0.1 port 80
end

Switch#

Thank you for taking the time to reply.

UPDATE:

By reducing the working configuration, I as able to reproduce the issues of vty 0 reconfiguring itself.  It seems as if vty 0 has a dependency on the configuration of 'line con 0'.  The I have included the following configuration session to illustrate the dependency.


User Access Verification

Username: XXXXXXX
Password:

Switch>enable
Password:
Switch#show run | include aaa
aaa new-model
aaa authentication login network-access group tacacs+ local
aaa session-id common

!With console port configured, vty 0 behaves as expected.
Switch#show run | begin line con 0
line con 0
login authentication network-access
line vty 0 4
login authentication network-access
transport input telnet ssh
line vty 5 15
login authentication network-access
transport input none
!
!
!
pnp profile pnp_redirection_profile
transport http ipv4 127.0.0.1 port 80
end


!Remove configuration on consoel port and vty 0 reconfigures itself.
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line con 0
Switch(config-line)#no login authentication network-access
Switch(config-line)#end
Switch#show run | begin line con 0
line con 0
line vty 0
transport input telnet ssh
line vty 1 4
login authentication network-access
transport input telnet ssh
line vty 5 15
login authentication network-access
transport input none
!
!
!
pnp profile pnp_redirection_profile
transport http ipv4 127.0.0.1 port 80
end


! Note that next time I logged in vty 0 had regrouped itself with vty 1 to 4.


Switch>enable
Password:
Switch#show run | begin line con 0
line con 0
login authentication network-access
line vty 0 4
login authentication network-access
transport input telnet ssh
line vty 5 15
login authentication network-access
transport input none
!
!

It is an observation, as to why it happens, I do not know.

Beginner

Also you can try changing the

Also you can try changing the privilege level of other lines to 15:

Here is the link to configuration guide :

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_2_se/configuration/guide/scg3560/swauthen.html?bookSearch=true

CreatePlease to create content
Content for Community-Ad