Re: Can't Access 3650 Web Panel (but works on CLI) - Page 2

BashedRoot · ‎04-05-2017

Strange issue here. I have 2 x 3650 switches both running Version 3.76. Web interface shows fine, but cannot log into switch #1.

I've had no issues accessing the panels via web on both switches, saved my passwords locally in Roboform too. Suddenly, my login is not working for switch #1, but works fine on switch #2. I'm baffled.

How do I correct this?

I checked the user/pw in show run

enable secret 5 ********
enable password ********

BashedRoot · ‎10-17-2017

Reload? No, it's a production switch with many active VLANs.

BashedRoot · ‎10-17-2017

I did this now, but it goes directly to enable mode instead of authenticating first through an admin user. How do I fix that portion?

Cisco3650#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco3650(config)#enable secret TLNsxxxxxxxxxxx                          
Cisco3650(config)#service password-encryption                           
Cisco3650(config)#
Cisco3650(config)#end
Cisco3650#show run
Building configuration...

Current configuration : 26076 bytes
!
! Last configuration change at 13:25:07 EST Tue Oct 17 2017 by myusername
!
version 16.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
no service password-recovery 
no platform punt-keepalive disable-kernel-core
!
hostname Cisco3650
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxxx
!

Georg Pauwen · ‎10-17-2017

Hello,

try local AAA:

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication login default local

5. aaa authorization exec local

6. aaa authorization network local

7. username name [privilege level] {password encryption-type password}

8. end

BashedRoot · ‎10-17-2017

Cisco3650#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco3650(config)#aaa new-model
Cisco3650(config)#aaa authentication login default local
Cisco3650(config)#aaa authorization exec local
% Incomplete command.

Cisco3650(config)#aaa authorization network local
% Incomplete command.

Switch #1 show run shows:
username myusername privilege 15 secret 5 $1$Cbkx$xxxxxxxxxxxx

Switch #2 show run shows:
username myusername password 0 rD&xxxxxxxxxxxx

By the way, now I get this when attempting to log into switch #1...

Cisco3650>
Cisco3650>en
% Error in authentication.

Georg Pauwen · ‎10-17-2017

Hello,

what are your options when you get the incomplete command ?

Which XE version are you running anyway ? Post the output of 'show version'...

BashedRoot · ‎10-17-2017

There are no options when I get incomplete, just carriage return to prompt.

Cisco3650#show version
Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.1a, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 29-Sep-16 22:08 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 3.76, RELEASE SOFTWARE (P)

Cisco3650 uptime is 1 year, 4 days, 19 hours, 11 minutes
Uptime for this control processor is 1 year, 4 days, 19 hours, 13 minutes
System returned to ROM by reload at 18:48:20 EST Wed Oct 12 2016
System image file is "flash:packages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

-----------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbasek9 Permanent ipbasek9

cisco WS-C3650-24TS (MIPS) processor (revision N0) with 866081K/6147K bytes of memory.
Processor board ID xxxxxxx
28 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
252000K bytes of Crash Files at crashinfo:.
1611414K bytes of Flash at flash:.
0K bytes of at webui:.
0K bytes of Dummy USB Flash at usbflash0:.

Base Ethernet MAC Address :
Motherboard Assembly Number :
Motherboard Serial Number :
Model Revision Number : N0
Motherboard Revision Number : A0
Model Number : WS-C3650-24TS
System Serial Number :

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24TS 16.3.1 CAT3K_CAA-UNIVERSALK9 INSTALL

Configuration register is 0x102

Georg Pauwen · ‎10-17-2017

Hello,

at this point, since it is a production switch, I would not configure anything else, otherwise you run the chance of locking yourself out.

Either post the full config of the switch (if you pull it from 'show tech' it will blank out all sensitive information), or compare the configuration with the 'working' switch...

BashedRoot · ‎10-17-2017

How about this? I removed some VLAN info to simplify...

Cisco3650#show run
Building configuration...

Current configuration : 26066 bytes
!
! Last configuration change at 13:57:30 EST Tue Oct 17 2017 by myusername
!
version 16.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
no service password-recovery 
no platform punt-keepalive disable-kernel-core
!
hostname Cisco3650
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
facility-alarm critical exceed-action shutdown
switch 1 provision ws-c3650-24ts
!
!
!
!
ip routing
!
!
!         
ip name-server xxx.xxx.xxx.62 xxx.xxx.xxx.61

ip domain name company.com
!
!
!
!
!
!
!
!
vtp mode transparent
!
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
        quit


errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause vmps
errdisable recovery cause loopback
errdisable recovery interval 120
license boot level ipbasek9
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
username myusername privilege 15 secret 5 $1$xxxxxxxx
!
redundancy
 mode sso
!
hw-switch switch 1 logging onboard message
!
vlan 2155 
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, SGT Cache Full, LOGGING
class-map match-any system-cpp-default
  description DHCP snooping, show forward and rest of traffic
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, Gold Pkt, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-control-low-priority
  description ICMP redirect and general punt
class-map match-any system-cpp-police-wireless-priority1
  description Wireless priority 1
class-map match-any system-cpp-police-wireless-priority2
  description Wireless priority 2
class-map match-any system-cpp-police-wireless-priority3-4-5
  description Wireless priority 3,4 and 5
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
policy-map system-cpp-policy
 class system-cpp-police-data
  police rate 200 pps
 class system-cpp-police-sys-data
  police rate 100 pps
 class system-cpp-police-sw-forward
  police rate 1000 pps
 class system-cpp-police-multicast
  police rate 500 pps
 class system-cpp-police-multicast-end-station
  police rate 2000 pps
 class system-cpp-police-punt-webauth
 class system-cpp-police-l2-control
 class system-cpp-police-routing-control
  police rate 1800 pps
 class system-cpp-police-control-low-priority
 class system-cpp-police-wireless-priority1
 class system-cpp-police-wireless-priority2
 class system-cpp-police-wireless-priority3-4-5
 class system-cpp-police-topology-control
 class system-cpp-police-dot1x-auth
 class system-cpp-police-protocol-snooping
 class system-cpp-police-forus
 class system-cpp-default
policy-map speed25
 class class-default
  police cir percent 25 conform-action transmit  exceed-action drop 
!
! 
!
!
!
!
!
!
!
!
!
!
!
!         
interface Port-channel1
 switchport access vlan 950
 switchport trunk allowed vlan 1,3,5,8,17-19,39,43,50,51,70,74,76,78,84,95
 switchport trunk allowed vlan add 97-99,101-103,108,110,112,119,500,600,611
 switchport trunk allowed vlan add 950
 switchport mode trunk
!
interface Port-channel2
 switchport mode trunk
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet1/0/1
 description NAS
 switchport access vlan 911
 switchport trunk allowed vlan 2,4,7,14,15,69,77,79,80,93-96,100,108,109,111
 switchport trunk allowed vlan add 113-117,120-122,950,2155
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/2
 description Server 30
 switchport access vlan 30
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/3
 description Server 25
 switchport access vlan 25
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/4
 description Server 95
 switchport access vlan 95
 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99
 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,612,950
 switchport mode access
!
interface GigabitEthernet1/0/5
 description Server 98
 switchport access vlan 98
 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99
 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,950
 switchport mode access
!
interface GigabitEthernet1/0/6
 description Server 3
 switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description Server 111
 switchport access vlan 111
 switchport mode access
 speed 100
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 description Server 113
 switchport access vlan 113
 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99
 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,950
 switchport mode access
!
interface GigabitEthernet1/0/9
 description Server 93
 switchport access vlan 93
 switchport mode access
!
interface GigabitEthernet1/0/10
 description Server 7
 switchport access vlan 7
 switchport mode access
 spanning-tree portfast
 service-policy output speed25
!
interface GigabitEthernet1/0/11
 description company
 switchport access vlan 21
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description Server 22
 switchport access vlan 22
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/13
 description Server 2
 switchport access vlan 2
 switchport mode access
 service-policy output speed25
!
interface GigabitEthernet1/0/14
 description Server 12
 switchport access vlan 12
 switchport trunk allowed vlan 1,3,5,8,17-19,39,43,50,51,70,74,76,78,84,95
 switchport trunk allowed vlan add 97-99,101-103,108,110,112,116,119,500,600
 switchport trunk allowed vlan add 611,950
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/15
 description Server 29
 switchport access vlan 29
 switchport mode access
!
interface GigabitEthernet1/0/16
 description Server 13
 switchport access vlan 13
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/17
 description Server 23
 switchport access vlan 23
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/18
 description Server 24
 switchport access vlan 24
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/19
 description IPMI
 switchport access vlan 612
 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99
 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,612,950
 switchport mode access
!
interface GigabitEthernet1/0/20
 description Spare (Old NAS)
 switchport access vlan 777
 switchport mode access
 speed 100
!
interface GigabitEthernet1/0/21
 description Server 26
 switchport access vlan 26
 switchport trunk allowed vlan 3,5,8,17-19,26,39,43,50,51,70,74,76,78,84,97-99
 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,612,950
 switchport mode access
!
interface GigabitEthernet1/0/22
 description Uplink Switch #2
 switchport trunk native vlan 2155
 switchport trunk allowed vlan 1,3-6,8-20,39,43,47,50,51,95,97-99,101-103,108
 switchport trunk allowed vlan add 112,119,612,950,2155
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/23
 description UPLINK #1
 switchport access vlan 2155
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/24
 description UPLINK #2
 switchport access vlan 2155
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 no ip address
 shutdown
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
 permit tcp any any eq 22
 permit tcp any any eq 465
 permit tcp any any eq 143
 permit tcp any any eq 993
 permit tcp any any eq 995
 permit tcp any any eq 1914
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq smtp
 permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
 permit udp any any range 16384 32767
 permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
 permit tcp any any range 2300 2400
 permit udp any any range 2300 2400
 permit tcp any any range 6881 6999
 permit tcp any any range 28800 29100
 permit tcp any any eq 1214
 permit udp any any eq 1214
 permit tcp any any eq 3689
 permit udp any any eq 3689
 permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
 permit tcp any any range 2000 2002
 permit tcp any any range 5060 5061
 permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
 permit tcp any any eq 443
 permit tcp any any eq 1521
 permit udp any any eq 1521
 permit tcp any any eq 1526
 permit udp any any eq 1526
 permit tcp any any eq 1575
 permit udp any any eq 1575
 permit tcp any any eq 1630
 permit udp any any eq 1630
 permit tcp any any eq 1527
 permit tcp any any eq 6200
 permit tcp any any eq 3389
 permit tcp any any eq 5985
 permit tcp any any eq 8080
ip access-list extended Manage-SSH
 permit tcp host xxx.xxx.xxx.6 host 0.0.0.0 eq 22
 permit tcp any host xxx.xxx.xxx.75 eq 22
 permit tcp host xxx.xxx.xxx.10 host 0.0.0.0 eq 22
 permit tcp host xxx.xxx.xxx.25 host 0.0.0.0 eq 22
!
access-list 1 permit xxx.xxx.xxx.25
access-list 101 permit tcp host xxx.xxx.xxx.25 host xxx.xxx.xxx.52 eq www
access-list 101 permit tcp host xxx.xxx.xxx.25 host xxx.xxx.xxx.52 eq 443
access-list 115 permit tcp host xxx.xxx.xxx.6 host 0.0.0.0 eq 22
!
snmp-server community public RO
snmp-server community private RW
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
!         
line con 0
 exec-timeout 480 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class Manage-SSH in
 exec-timeout 480 0
 length 0
 transport input ssh
line vty 5 15
 access-class Manage-SSH in
 exec-timeout 480 0
 length 0
 transport input ssh
!
ntp authenticate
ntp peer 81.6.42.224
ntp peer 96.47.67.105
ntp server 64.209.210.20
ntp server 50.255.89.205
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap dot11 airtime-fairness policy-name Default 0
ap group default-group
ap hyperlocation ble-beacon 0
ap hyperlocation ble-beacon 1
ap hyperlocation ble-beacon 2
ap hyperlocation ble-beacon 3
ap hyperlocation ble-beacon 4
end

Georg Pauwen · ‎10-17-2017

Hello,

in your original post you mentioned web GUI access. I don't see any http commands in your switch configuration. How do you access the web GUI ?

BashedRoot · ‎10-17-2017

At this point, all I want to do is fix the telnet enable password (reset it) and re-enable the username first authentication I had, to enter enable mode after.

Right now after running your previous commands, it goes directly to enable mode bypassing any username authentication. I'm not concerned about anything web GUI related at this time.

Georg Pauwen · ‎10-17-2017

Hello,

line vty 0 4

login local

That is what you need for local authentication (the username and password you configured locally).

BashedRoot · ‎10-18-2017

Thank you, I'll try that but now I have to know how to do this on-site physically on the switch. My laptop when into sleep mode and knocked out my connection remotely so I'm still at the below area stuck.

Cisco3650>en
% Error in authentication.

BashedRoot · ‎10-18-2017

Actually, even better if you could *please* explain how I can log into the switch via SERIAL CONSOLE. My previous network tech did this before, I just do not recall the commands to get into serial console via a spare dedicated server machine.

Georg Pauwen · ‎10-18-2017

You need to put 'login local' under 'line con 0':

line con 0

login local

Which terminal emulator are you using ? Putty ?

Have a look at the link below for console access settings...

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/hardware/installation/guide/Cat3650hig_book/HGcliSET.html

BashedRoot · ‎10-18-2017

I'm using SecureCRT telnet protocol, which is similar to Putty.

I was able to access primary switch #1 via web gui using myusername still. I think I might be able to fix the issue via the interface there. See attached, not 100% sure though. Looks like the options are there, but I'd rather not fiddle until you clarify.

Regarding the link you gave me, not sure what the commands are to start up the communication process via serial console (RJ-45). It's been so long since I did it.

Step 2 
Start the terminal emulation program on the PC or the terminal. The program, frequently a PC application, such as HyperTerminal or ProcommPlus, makes communication between the switch and your PC or terminal possible.

Thanks in advance again, I really appreciate your help.