cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1050
Views
0
Helpful
6
Replies

Console pwd with Cisco Secure ACS

mberenato01
Level 1
Level 1

My question is.... we have this application working everything is fine with accessing weather on line or through Console. If the switch\router is not connected to the network i cant access through the Console port. So if by chance i lose my GBIC's and off the network i cant get in to look. I set all these up years ago and never had to get in except last week i lost a switch and had to get into a previously configured switch to make sure it was ok.... any help would be great. mberenato01@yahoo.com

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Mike

There are probably some aspects of your question that I do not understand well. It sounds as if you are describing the problem as beeing that if the switch is on line on the network that you can login through the console or the vty with no problem. But if the switch is not on line that you can not login - not even through the console.

My guess about this problem would be that you have configured authentication via AAA to a TACACS or to a Radius server and that there is not a backup method using local authentication. If you would post the configuration we could verify whether this is the problem and perhaps to suggest an alternative that could get around this issue.

If I have misunderstood some part of your issue then perhaps you can clarify it for us.

HTH

Rick

HTH

Rick

Yes, sorry for the confusion i use those methods... We do however set the console u\n and p\w so thats how im confused. The issue is if the switch is unplugged from the network and sitting on my desk i try to console in... here is the config - some u\n's etc for security:

version 12.2

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname blahblah

!

enable secret 5 $xxxxxxxxxxxx

enable password 7 1111111111

!

username username privilege 15 password 7 1111111111

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

!

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

******the ethernet switch ports goes here

!

interface Vlan1

ip address x.x.x.x x.x.x.x

no ip route-cache

!

ip default-gateway x.x.x.x

ip classless

no ip http server

!

tacacs-server host x.x.x.x key 7 1111111111111

tacacs-server directed-request

tacacs-server key 7 11111111111111111

radius-server source-ports 1645-1646

!

control-plane

!

banner motd ^CCCC

***************************************************************************

WARNING: ***************************************************************************

^C

!

line con 0

exec-timeout 30 0

password 7 111111111

stopbits 1

line vty 0 4

exec-timeout 30 0

password 7 11111111

line vty 5 15

exec-timeout 30 0

password 7 111111111

!

ntp clock-period 36029202

ntp server x.x.x.x prefer

ntp server x.x.x.x

end

Mike

Thanks for posting the additional information. It does show that you are authenticating both console and vty with TACACS. And it does show a backup method is configured (local). The local authentication as a backup will use a locally configured username and password to authenticate. When the device is offline and you attempt to login, are you getting a prompt for username and a prompt for password? Are you trying to login with the username that is configured - and with the password that is configured for that username? Are you confident that you have the correct password for that username?

I have a couple of suggestions for things to try:

- configure a new (different) username that has a very simple name and simple password. The take the device off line and try to login with the new username and password.

- login while it is online, run debug aaa authentication, disconnect from the network, try to login while offline (which should fail) and look to the debug output for indications of what is happening.

HTH

Rick

HTH

Rick

I guess really the problem was.... when setting up the switch to ease configuration you do the copy paste. Well if you copy an encrytped password it appears it gets messed up or double encrypted i guess... idunno. But thanks for the info, creating another user account worked once i got it back so i could console in.

Mike

I am glad that my answers were able to help you find a solution for your problem. when I looked at your configs and did not see any issue with them it was logical to wonder if the problem were in the configuration of the user IDs and passwords.

HTH

Rick

HTH

Rick

Thanks again!