cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1365
Views
5
Helpful
8
Replies

Local authentication problem on a WS-C4500X-32 switch

Oliver Drew
Level 1
Level 1

Hi all,

I have a pair of WS-C4500X-32 switches in a VSS pair. They were recently deployed as our core at our data centre, so they are in production.

Initially I had local usernames and passwords configured for VTY access. Telnetting to the switch and authenticating with my local account would take me straight to Privileged EXEC mode. We then made an attemt to configure AAA to point to an ACS server for AD authentication but it didn't work, properly, so I removed that configuration, and now we're back to local user accounts again.

During the attempt to configure AAA for authentication, the switch was in a state whereby when I'd telnet to it, get prompted for username and password, at which point I enter the local credentials, and I get taken to User EXEC mode, instead of Privileged EXEC mode. There's no enable password/secret configured, so I simply type 'enable' and move to Privileged EXEC mode.

How can I revert back to using local authenitcation to be taken staight to Privileged EXEC mode, rather than being taken to User EXEC mode first, and then having to type 'enable'?

The switch is running cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin

All help greatly appreciated.

Thanks!

Olly

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

On your line vty statements, have you added "privilege level 15"?

View solution in original post

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

On your line vty statements, have you added "privilege level 15"?

Good day Marvin,

Thank you for your post. No, I hadn't added that command, but I have now, and that's resolved the issue - thank you!

Is that a new feature command with IOS-XE software? I've never configured that before. I also notice that when in line config mode (switch(config-line)#) that the command 'login local' is no longer available. I think it just assumes login local by default unless you specify otherwise?

Thanks again,

Olly

Hi,

privilege level 15 under VTY lines should never be implemented in production network because anyone that succeeded authentication(even levels < 15) has now the super user powers.you should be usin local  authorization instead.Also once you use AAA login local has no effect anymore,by default it is the default autentication method which is used by the lines.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I just use it where no external AAA server is available and ther is a small local support staff with limited (or no) AAA expertise and only one local username.

Thanks both -

Just noticed something else...

When I connect using telnet I see the following:

*******************************************************************************
**  NOTICE:  This network system is solely for the use of authorised users   **
**           for purposes authorised by our organization.                    **
**           Access is restricted to authorised users only. Unauthorised     **
**           access of this computer system is a violation of state and      **
**           federal, civil and criminal laws.                               **
**           You have no expectation of privacy in the use of this computer  **
**           system. To ensure that the computer system is functioning       **
**           properly, individuals using this system are subject to having   **
**           all their activities on the computer system monitored and       **
**           recorded by personnel of our organization.                      **
**           Use of this computer system by you evidences your express       **
**           consent to such monitoring and your agreement that if such      **
**           monitoring reveals evidence of possible abuse or conduct of     **
**           criminal activity, personnel may provide the evidence of such   **
**           activity to law enforcement authorities.                        **
*******************************************************************************

Password required, but none set

User Access Verification

Username:

Any ideas why it says 'Password required, but none set', but then continues to the 'Username:' promt and permits me to authenticate successfully?

Thanks again

P.S. I know I should be using SSH over Telnet, but I'll work on that next!

Hi,

of course with only one user in the local database then he has to have privilege 15 but then why not use the enable secret password instead because I still think this is a security hole.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Cadet,

That's a really good point re: making use of the enable pasword in my case in the interim before I get AAA working properly. Thank you.

I still have the problem of the switch saying 'password required, but none set', even though it lets me continue to log in with local credentials successfully.

This is causing a problem for me because I'm using Kiwi CatTools to back up the runnin config, and the procedure is failing on the CatTools server, saying "Warning, no VTY password has been set".

I've just set a password on lines 0 15 and tried again, but CatTools still fails to authenticate successfully to the switch.

As the original query in this post has been answered, I'll start a new discussion now.

Thanks for your help Marvin and Cadet.

aaa authorization exec default group tacacs+ local

you also need to assign privileged access for the user in ACS

Review Cisco Networking for a $25 gift card