06-20-2016 07:59 PM - edited 03-08-2019 06:17 AM
cat 6500 running IOS 12, enable command asks for username, not just the password. Where command controls this behavior?
06-20-2016 08:06 PM
You can try using the "no login" command and than issue "enable secret password" and see if the router let you in without any username.
First let us consider what is the basic problem. Without aaa new-model the default for authentication (on console and on vty) is to use the line password. But when you enable aaa new-model then the default for authentication becomes local - and this generates the prompt for a user name, and will check the entered user name against any locally configured user names and passwords.
When you configured aaa new-model and authentication dot1x then it set the default for authentication to use locally configured user ID and password. The suggestion from John to create a named authentication method and assign it to the vty would solve your issue on the vty (but not on the console). My suggestion is to create a default authentication which uses the line password. This will solve the issue on both the vty and the console. It might look something like this
aaa authentication login default line
That should get you back to needing only to enter the line password on the console and on the vty and would not impact the dot1x authentication/
Ref:- from one of the CSC link.
HTH
Regards
Inayath
06-20-2016 10:57 PM
Thanks. I will test it and report back. The device uses aaa tacacs for authentication.
06-20-2016 11:14 PM
if you are using TACACS for authenticating then you have to provide the username and password which was prvided by TACACS admin, usually they create different users with different privileges, you can use "show privilege" if you have access to device, also you can use "no aaa new-mode" in configuration mode which will stop TACACS authentication and if you have router credential you can login easily.
Hope that help.
Kindest Regards,
Uzair
06-20-2016 11:22 PM
I noticed a different behavior on certain devices (all with tacacs) that I have to enter the username and enable secret (provided by tacasc) instead of just enable secret. It's the same user that I logged into the device with.
06-21-2016 12:23 AM
TACACS doesn't work in that way, reason for TACACS to avoid this enable password way, it seems something could be wrong in configuration for TACACS section, can you please share the output for TACACS configuration from any device where you are having this issue "show running-config | include tacacs" would be enough also appreciate if you can share "show running-config | include vty"
Kindest Regards,
Uzair
06-21-2016 12:55 AM
Will get the config when I get a chance.
There is probably something like this on other devices.
aaa authentication enable default tacacs+ enable
06-21-2016 03:11 AM
"aaa authentication login" should have been there, appreciate if you can share the exact config to diagnose further.
Thanks.
Kindest Regards,
Uzair
06-21-2016 07:10 PM
aaa config is exactly the same
aaa auth login
aaa auth enable
Both devices are running 12.2(17r) but one is asking for enable username, not just enable password. both login and enable are via aaa credentials.
10-19-2017 10:44 AM
I have a similar issue - very basic config just for lab.. added enable and secret passwords and now it is prompting me for a unsername from vty or console logins.. now i am locked out... grrrr
No username configured...
I really don't feel like breaking in... lol
enable secret 5 $1$83uX$eSEhlhb9D0d.2pMyphMUa/
enable password Cisco
!
no aaa new-model
line con 0
password cisco
login local
line vty 0 4
password cisco
login local
line vty 5 15
password cisco
login local
10-19-2017 10:59 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: