Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
0
Helpful
5
Replies

Catalyst login issue

jwillman
Level 1
Level 1

‎11-26-2004 09:16 AM - edited ‎03-05-2019 11:20 AM

I have a strange problem with all catalysts (2948g's, 5500's) on our network. We just moved to an ACS for RADIUS authentication to these switches so I used Ciscoworks to push out the config changes to the switches (all it did was to change the IP address of the RADIUS server on the configs).

Ever since, when I log into one of the switches I'm placed directly into enable mode even though the switches are configured to ask for the local password first.

Here's the output for a show authentication:

Login Authentication: Console Session Telnet Session Http Session

--------------------- ---------------- ---------------- ----------------

tacacs disabled disabled disabled

radius enabled(primary) enabled(primary) disabled

kerberos disabled disabled disabled

local enabled enabled enabled(primary)

attempt limit 3 3 -

lockout timeout (sec) disabled disabled -

Enable Authentication: Console Session Telnet Session Http Session

---------------------- ----------------- ---------------- ----------------

tacacs disabled disabled disabled

radius disabled disabled disabled

kerberos disabled disabled disabled

local enabled(primary) enabled(primary) enabled(primary)

attempt limit 3 3 -

lockout timeout (sec) disabled disabled -

Any ideas? I have the enablepass configured....

Labels:
0 Helpful
5 Replies 5

m.lammerse
Level 1
Level 1

‎11-27-2004 12:56 PM

Not very familliar with ACS , but.. radius is disabled under ' enable authentication '. This tells me that the radius server is not consulted when you enter enable mode. Try enabling that in ACS.

0 Helpful

chuck.price
Level 1
Level 1

‎11-29-2004 11:43 AM

Are the log in and enable password the same? Might sound like a stupid question but I've seen scenarios where this was the case.

0 Helpful

jwillman
Level 1
Level 1
In response to chuck.price

‎12-02-2004 08:29 AM

No, they are different. I've had to open a case with TAC on this. It's strange.....when I change the RADIUS config to point back to the old Microsoft authentication server it works properly but change it again to point to the ACS and boom...straight to enable.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to jwillman

‎12-04-2004 07:47 PM

Does it have the same behavior when different IDs are used to login or is it just happening with your ID?

You might want to check how the IDs are defined in radius and what privilege level is associated with them.

It might also help if you could post the aaa and radius parts of your config.

HTH

Rick

HTH

Rick
0 Helpful

jwillman
Level 1
Level 1
In response to Richard Burts

‎12-17-2004 07:51 AM

Turns out this is normal behavior in that Cisco did not write exec authorization into the CATOS. To get around not having exec authorization you have to enable service-type as 'administrative' on the ACS which results in the straight-to-enable scenario.

Workaround is to use tacacs.

Thanks for all your suggestions though.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card