Solved: Enable Password Not working via Console

ColeB20570 · ‎03-14-2022

I have multiple (around 9200 switches running the same version and basically the same configuration.

On all the switches that are in use, I'm unable to get into enable mode via the console connection. I can do so via SSH using the Cisco CLI.

The test switch is connected to the other switches on the network but not in ACS. (the only difference I know of), and I can get into enable mode via the console cable.

We have changed the enable password on them to basic (were you can see the password) and I still can't get in. I've added password to line con 0 and removed it as well. I've attached how the enable, aaa, and lines are configured on both devices.

Been working on this for 3 weeks and tried a bunch of different stuff. Any suggestions are appreciated! I feel like it's staring me in the face, but I just can't see it.

I've also included the initial config commands for AAA and Lines.

If you want to see any other part of the config, please let me know.

Regards

Richard Burts · ‎03-16-2022

Cole

You currently have this

aaa authentication enable default group ACS-GROUP enable

I suggest that you change it to this

aaa authentication enable default enable group ACS-GROUP

HTH

Rick

View solution in original post

Richard Burts · ‎03-14-2022

I think it is significant that the test switch is not in ACS. The config for authentication enable specifies ACS as primary method and local as alternate method. On the test switch when you attempt enable it tries to use ACS, gets no response, and uses the alternate method. And that works. On the other switches you attempt enable and it tries to use ACS, ACS does not recognize the user and responds negative, and the switch does not attempt the alternate method. What would happen if you changed the order of entries for authentication enable and specify local first and ACS second?

HTH

Rick

ColeB20570 · ‎03-16-2022

Richard,

Where would you add that command, under conf t, but how would it be entered? Or do I specify local on the line con 0?

When I type authentication ? I only see these options.

command Allow the following CoA commands to be ignored by the switch
convert-to Convert the configuration mode to eEdge
critical Set Critical Authentication parameters
dis-scale-opt Scale Optimise disable
logging Set logging parameters
mac-move Set required action when a MAC move is detected

Thank you,

Cole

Richard Burts · ‎03-16-2022

Cole

You currently have this

aaa authentication enable default group ACS-GROUP enable

I suggest that you change it to this

aaa authentication enable default enable group ACS-GROUP

HTH

Rick

ColeB20570 · ‎03-17-2022

Richard,

That did it! And I think I may even understand why

Really appreciate your assistance.

Regards,

Cole

Richard Burts · ‎03-17-2022

Cole

You are welcome. I believe that understanding why it works is a very good thing (getting it to work is good, understanding why is better). Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Richard Burts · ‎03-17-2022

Cole

We found a solution that works, and that is good. But I read through the discussion again and want to clarify a point. In one of your posts you say "So if they lose network connection, I won't be able to get in to troubleshoot." That is not really the case. If a switch is having problems and lose their network connection then when you access the console the switch will attempt to access ACS, will not receive any response, and then would have accepted your enable password. The new config is better than the old one, but the old one was not as problematic as you thought it was.

HTH

Rick

balaji.bandi · ‎03-14-2022

The test switch is connected to the other switches on the network but not in ACS. (the only difference I know of), and I can get into enable mode via the console cable.

what is the intention here, Do you want to test switch to use Local credentials ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ColeB20570 · ‎03-15-2022

It's not going to be permanently on the network, so didn't want to add in ACS. Did a basic config on it for testing console logging.

balaji.bandi · ‎03-15-2022

Then remove AAA config make it local so you good.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ColeB20570 · ‎03-15-2022

The AAA is needed for the switches in use on the network. The issue is with those that are connected to the network. I'm able to get into them via SSH using Cisco CLI. I cannot get into them using the console port. Not accepting the enable password.

So if they lose network connection, I won't be able to get in to troubleshoot. This is only on these new 9200 switches. There has to be a new configuration command I'm missing.

balaji.bandi · ‎03-15-2022

So for SSH you able to login, but you have difficult for your console access.

I create an username as below

username localuser privilege 15 secret 5 XXXXXXXXXXXX

enable secret 5 XXXXXXXXXXXXXXXXX

!

line con 0
logging synchronous

or post full show run to look again.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ColeB20570 · ‎03-16-2022

This did not enable me to get into enable mode.

I did find a sort of work around.

Under the line con 0 I entered "default authorization exec", this basically bypasses the need for entering an enable password.

Still would be nice to get it working like it does on all our older switches.

alancelliott · ‎03-15-2022

Hey Cole,

So a couple things going on here:

You currently only have authorization configured on the console line for aaa and not authentication. Then you're setting the password on the console line with privilege level 15, I see no reason the enable password would even need to be used, you should just be using the password on the console line and getting privileged exec access.

line con 0
 privilege level 15
 password (password)
 authorization exec AAA
 transport output all
 stopbits 1

Your working switch does not have privilege level 15 under the line console config. So would require the enable password in order to elevate privileges.

Try removing the privilege exec 15 under Line console 0 for the switch that isn't working. See if that gets it working.

Alan

ColeB20570 · ‎03-16-2022

Removing the privilege exec 15 didn't seem to make any difference.

I did find a sort of work around.

Under the line con 0 I entered "default authorization exec", this basically bypasses the need for entering an enable password.

Still would be nice to get it working like it does on all our older switches.