04-05-2017 07:29 PM - edited 03-08-2019 10:05 AM
Strange issue here. I have 2 x 3650 switches both running Version 3.76. Web interface shows fine, but cannot log into switch #1.
I've had no issues accessing the panels via web on both switches, saved my passwords locally in Roboform too. Suddenly, my login is not working for switch #1, but works fine on switch #2. I'm baffled.
How do I correct this?
I checked the user/pw in show run
enable secret 5 ********
enable password ********
10-17-2017 11:05 AM
10-17-2017 11:13 AM
I did this now, but it goes directly to enable mode instead of authenticating first through an admin user. How do I fix that portion?
Cisco3650#conf t Enter configuration commands, one per line. End with CNTL/Z. Cisco3650(config)#enable secret TLNsxxxxxxxxxxx Cisco3650(config)#service password-encryption Cisco3650(config)# Cisco3650(config)#end Cisco3650#show run Building configuration... Current configuration : 26076 bytes ! ! Last configuration change at 13:25:07 EST Tue Oct 17 2017 by myusername ! version 16.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config no service password-recovery no platform punt-keepalive disable-kernel-core ! hostname Cisco3650 ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxxx !
10-17-2017 11:19 AM
Hello,
try local AAA:
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default local
5. aaa authorization exec local
6. aaa authorization network local
7. username name [privilege level] {password encryption-type password}
8. end
10-17-2017 11:41 AM - edited 10-17-2017 11:42 AM
Cisco3650#conf t Enter configuration commands, one per line. End with CNTL/Z. Cisco3650(config)#aaa new-model Cisco3650(config)#aaa authentication login default local Cisco3650(config)#aaa authorization exec local % Incomplete command. Cisco3650(config)#aaa authorization network local % Incomplete command.
Switch #1 show run shows:
username myusername privilege 15 secret 5 $1$Cbkx$xxxxxxxxxxxx
Switch #2 show run shows:
username myusername password 0 rD&xxxxxxxxxxxx
By the way, now I get this when attempting to log into switch #1...
Cisco3650> Cisco3650>en % Error in authentication.
10-17-2017 11:47 AM
Hello,
what are your options when you get the incomplete command ?
Which XE version are you running anyway ? Post the output of 'show version'...
10-17-2017 11:49 AM
There are no options when I get incomplete, just carriage return to prompt.
Cisco3650#show version Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.1a, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Thu 29-Sep-16 22:08 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 3.76, RELEASE SOFTWARE (P) Cisco3650 uptime is 1 year, 4 days, 19 hours, 11 minutes Uptime for this control processor is 1 year, 4 days, 19 hours, 13 minutes System returned to ROM by reload at 18:48:20 EST Wed Oct 12 2016 System image file is "flash:packages.conf" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Technology Package License Information: ----------------------------------------------------------------- Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ ipbasek9 Permanent ipbasek9 cisco WS-C3650-24TS (MIPS) processor (revision N0) with 866081K/6147K bytes of memory. Processor board ID xxxxxxx 28 Virtual Ethernet interfaces 28 Gigabit Ethernet interfaces 2048K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 252000K bytes of Crash Files at crashinfo:. 1611414K bytes of Flash at flash:. 0K bytes of at webui:. 0K bytes of Dummy USB Flash at usbflash0:. Base Ethernet MAC Address : Motherboard Assembly Number : Motherboard Serial Number : Model Revision Number : N0 Motherboard Revision Number : A0 Model Number : WS-C3650-24TS System Serial Number : Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 28 WS-C3650-24TS 16.3.1 CAT3K_CAA-UNIVERSALK9 INSTALL Configuration register is 0x102
10-17-2017 12:09 PM
Hello,
at this point, since it is a production switch, I would not configure anything else, otherwise you run the chance of locking yourself out.
Either post the full config of the switch (if you pull it from 'show tech' it will blank out all sensitive information), or compare the configuration with the 'working' switch...
10-17-2017 01:10 PM
How about this? I removed some VLAN info to simplify...
Cisco3650#show run Building configuration... Current configuration : 26066 bytes ! ! Last configuration change at 13:57:30 EST Tue Oct 17 2017 by myusername ! version 16.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config no service password-recovery no platform punt-keepalive disable-kernel-core ! hostname Cisco3650 ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! aaa new-model ! ! aaa authentication login default local ! ! ! ! ! aaa session-id common clock timezone EST -5 0 facility-alarm critical exceed-action shutdown switch 1 provision ws-c3650-24ts ! ! ! ! ip routing ! ! ! ip name-server xxx.xxx.xxx.62 xxx.xxx.xxx.61 ip domain name company.com ! ! ! ! ! ! ! ! vtp mode transparent ! ! crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR enrollment selfsigned serial-number revocation-check none rsakeypair HTTPS_SS_CERT_KEYPAIR ! ! crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR certificate self-signed 01 quit errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause gbic-invalid errdisable recovery cause psecure-violation errdisable recovery cause dhcp-rate-limit errdisable recovery cause vmps errdisable recovery cause loopback errdisable recovery interval 120 license boot level ipbasek9 diagnostic bootup level minimal spanning-tree mode rapid-pvst spanning-tree extend system-id ! username myusername privilege 15 secret 5 $1$xxxxxxxx ! redundancy mode sso ! hw-switch switch 1 logging onboard message ! vlan 2155 ! ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, SGT Cache Full, LOGGING class-map match-any system-cpp-default description DHCP snooping, show forward and rest of traffic class-map match-any system-cpp-police-sys-data description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, Gold Pkt, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP_GEN and BROADCAST class-map match-any system-cpp-police-control-low-priority description ICMP redirect and general punt class-map match-any system-cpp-police-wireless-priority1 description Wireless priority 1 class-map match-any system-cpp-police-wireless-priority2 description Wireless priority 2 class-map match-any system-cpp-police-wireless-priority3-4-5 description Wireless priority 3,4 and 5 class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control class-map match-any system-cpp-police-protocol-snooping description Protocol snooping ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 policy-map system-cpp-policy class system-cpp-police-data police rate 200 pps class system-cpp-police-sys-data police rate 100 pps class system-cpp-police-sw-forward police rate 1000 pps class system-cpp-police-multicast police rate 500 pps class system-cpp-police-multicast-end-station police rate 2000 pps class system-cpp-police-punt-webauth class system-cpp-police-l2-control class system-cpp-police-routing-control police rate 1800 pps class system-cpp-police-control-low-priority class system-cpp-police-wireless-priority1 class system-cpp-police-wireless-priority2 class system-cpp-police-wireless-priority3-4-5 class system-cpp-police-topology-control class system-cpp-police-dot1x-auth class system-cpp-police-protocol-snooping class system-cpp-police-forus class system-cpp-default policy-map speed25 class class-default police cir percent 25 conform-action transmit exceed-action drop ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Port-channel1 switchport access vlan 950 switchport trunk allowed vlan 1,3,5,8,17-19,39,43,50,51,70,74,76,78,84,95 switchport trunk allowed vlan add 97-99,101-103,108,110,112,119,500,600,611 switchport trunk allowed vlan add 950 switchport mode trunk ! interface Port-channel2 switchport mode trunk ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address shutdown negotiation auto ! interface GigabitEthernet1/0/1 description NAS switchport access vlan 911 switchport trunk allowed vlan 2,4,7,14,15,69,77,79,80,93-96,100,108,109,111 switchport trunk allowed vlan add 113-117,120-122,950,2155 switchport mode access speed 100 ! interface GigabitEthernet1/0/2 description Server 30 switchport access vlan 30 switchport mode access speed 100 ! interface GigabitEthernet1/0/3 description Server 25 switchport access vlan 25 switchport mode access speed 100 ! interface GigabitEthernet1/0/4 description Server 95 switchport access vlan 95 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,612,950 switchport mode access ! interface GigabitEthernet1/0/5 description Server 98 switchport access vlan 98 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,950 switchport mode access ! interface GigabitEthernet1/0/6 description Server 3 switchport access vlan 3 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/7 description Server 111 switchport access vlan 111 switchport mode access speed 100 spanning-tree portfast ! interface GigabitEthernet1/0/8 description Server 113 switchport access vlan 113 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,950 switchport mode access ! interface GigabitEthernet1/0/9 description Server 93 switchport access vlan 93 switchport mode access ! interface GigabitEthernet1/0/10 description Server 7 switchport access vlan 7 switchport mode access spanning-tree portfast service-policy output speed25 ! interface GigabitEthernet1/0/11 description company switchport access vlan 21 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/12 description Server 22 switchport access vlan 22 switchport mode access speed 100 ! interface GigabitEthernet1/0/13 description Server 2 switchport access vlan 2 switchport mode access service-policy output speed25 ! interface GigabitEthernet1/0/14 description Server 12 switchport access vlan 12 switchport trunk allowed vlan 1,3,5,8,17-19,39,43,50,51,70,74,76,78,84,95 switchport trunk allowed vlan add 97-99,101-103,108,110,112,116,119,500,600 switchport trunk allowed vlan add 611,950 switchport mode access speed 100 ! interface GigabitEthernet1/0/15 description Server 29 switchport access vlan 29 switchport mode access ! interface GigabitEthernet1/0/16 description Server 13 switchport access vlan 13 switchport mode access speed 100 ! interface GigabitEthernet1/0/17 description Server 23 switchport access vlan 23 switchport mode access speed 100 ! interface GigabitEthernet1/0/18 description Server 24 switchport access vlan 24 switchport mode access speed 100 ! interface GigabitEthernet1/0/19 description IPMI switchport access vlan 612 switchport trunk allowed vlan 3,5,8,17-19,39,43,50,51,70,74,76,78,84,97-99 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,612,950 switchport mode access ! interface GigabitEthernet1/0/20 description Spare (Old NAS) switchport access vlan 777 switchport mode access speed 100 ! interface GigabitEthernet1/0/21 description Server 26 switchport access vlan 26 switchport trunk allowed vlan 3,5,8,17-19,26,39,43,50,51,70,74,76,78,84,97-99 switchport trunk allowed vlan add 101-103,108,110,112,119,500,600,611,612,950 switchport mode access ! interface GigabitEthernet1/0/22 description Uplink Switch #2 switchport trunk native vlan 2155 switchport trunk allowed vlan 1,3-6,8-20,39,43,47,50,51,95,97-99,101-103,108 switchport trunk allowed vlan add 112,119,612,950,2155 switchport mode trunk speed 1000 duplex full ! interface GigabitEthernet1/0/23 description UPLINK #1 switchport access vlan 2155 switchport mode access speed 1000 duplex full ! interface GigabitEthernet1/0/24 description UPLINK #2 switchport access vlan 2155 switchport mode access speed 1000 duplex full ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address shutdown ! ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data permit tcp any any eq 22 permit tcp any any eq 465 permit tcp any any eq 143 permit tcp any any eq 993 permit tcp any any eq 995 permit tcp any any eq 1914 permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq smtp permit tcp any any eq pop3 ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf permit udp any any range 16384 32767 permit tcp any any range 50000 59999 ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger permit tcp any any range 2300 2400 permit udp any any range 2300 2400 permit tcp any any range 6881 6999 permit tcp any any range 28800 29100 permit tcp any any eq 1214 permit udp any any eq 1214 permit tcp any any eq 3689 permit udp any any eq 3689 permit tcp any any eq 11999 ip access-list extended AutoQos-4.0-wlan-Acl-Signaling permit tcp any any range 2000 2002 permit tcp any any range 5060 5061 permit udp any any range 5060 5061 ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526 permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp any any eq 1630 permit udp any any eq 1630 permit tcp any any eq 1527 permit tcp any any eq 6200 permit tcp any any eq 3389 permit tcp any any eq 5985 permit tcp any any eq 8080 ip access-list extended Manage-SSH permit tcp host xxx.xxx.xxx.6 host 0.0.0.0 eq 22 permit tcp any host xxx.xxx.xxx.75 eq 22 permit tcp host xxx.xxx.xxx.10 host 0.0.0.0 eq 22 permit tcp host xxx.xxx.xxx.25 host 0.0.0.0 eq 22 ! access-list 1 permit xxx.xxx.xxx.25 access-list 101 permit tcp host xxx.xxx.xxx.25 host xxx.xxx.xxx.52 eq www access-list 101 permit tcp host xxx.xxx.xxx.25 host xxx.xxx.xxx.52 eq 443 access-list 115 permit tcp host xxx.xxx.xxx.6 host 0.0.0.0 eq 22 ! snmp-server community public RO snmp-server community private RW ! ! ! control-plane service-policy input system-cpp-policy ! ! ! line con 0 exec-timeout 480 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class Manage-SSH in exec-timeout 480 0 length 0 transport input ssh line vty 5 15 access-class Manage-SSH in exec-timeout 480 0 length 0 transport input ssh ! ntp authenticate ntp peer 81.6.42.224 ntp peer 96.47.67.105 ntp server 64.209.210.20 ntp server 50.255.89.205 wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap dot11 airtime-fairness policy-name Default 0 ap group default-group ap hyperlocation ble-beacon 0 ap hyperlocation ble-beacon 1 ap hyperlocation ble-beacon 2 ap hyperlocation ble-beacon 3 ap hyperlocation ble-beacon 4 end
10-17-2017 01:23 PM
Hello,
in your original post you mentioned web GUI access. I don't see any http commands in your switch configuration. How do you access the web GUI ?
10-17-2017 01:36 PM
At this point, all I want to do is fix the telnet enable password (reset it) and re-enable the username first authentication I had, to enter enable mode after.
Right now after running your previous commands, it goes directly to enable mode bypassing any username authentication. I'm not concerned about anything web GUI related at this time.
10-17-2017 01:50 PM
Hello,
line vty 0 4
login local
That is what you need for local authentication (the username and password you configured locally).
10-18-2017 04:54 AM
10-18-2017 04:55 AM
10-18-2017 08:31 AM
You need to put 'login local' under 'line con 0':
line con 0
login local
Which terminal emulator are you using ? Putty ?
Have a look at the link below for console access settings...
10-18-2017 08:56 AM - edited 10-18-2017 09:04 AM
I'm using SecureCRT telnet protocol, which is similar to Putty.
I was able to access primary switch #1 via web gui using myusername still. I think I might be able to fix the issue via the interface there. See attached, not 100% sure though. Looks like the options are there, but I'd rather not fiddle until you clarify.
Regarding the link you gave me, not sure what the commands are to start up the communication process via serial console (RJ-45). It's been so long since I did it.
Step 2
Start the terminal emulation program on the PC or the terminal. The program, frequently a PC application, such as HyperTerminal or ProcommPlus, makes communication between the switch and your PC or terminal possible.
Thanks in advance again, I really appreciate your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide