Solved: Re: Nexus 9K Console Port No Auth

CiscoMedMed · ‎03-13-2021

Going through a recent config change I lost the ability to authenticate either via RADIUS/AD AND with local credentials. And this was the case whether access via an Avocent console server or ssh. I was locked out until I disabled some trunking assuring the 9k couldn't even try to reach the radius server and then local creds worked. What I'd like to do is remove authentication from the console serial port. If I authenticate to the Avocent then I have access to the console port. Can someone tell me how to exclude the console port from the overall security policy? This is clearer to me in IOS. Thank you.

marce1000 · ‎03-13-2021

- FYI : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_0111.html#task_1...

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

balaji.bandi · ‎03-13-2021

you can do an example as below - for the console, the rest all will be TACACS, then you also need to investigate what is wrong with Radius, do you have config fall back to local then it should not be an issue if the TACACS not reachable you can use a local account.

again it all your requirement.

username myuser password mypassword priv 15
aaa authentication login CONSOLE local
aaa authorization exec CONSOLE if-authenticated
!
line con 0
login authentication CONSOLE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

marce1000 · ‎03-13-2021

- FYI : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_0111.html#task_1...

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎03-13-2021

you can do an example as below - for the console, the rest all will be TACACS, then you also need to investigate what is wrong with Radius, do you have config fall back to local then it should not be an issue if the TACACS not reachable you can use a local account.

again it all your requirement.

username myuser password mypassword priv 15
aaa authentication login CONSOLE local
aaa authorization exec CONSOLE if-authenticated
!
line con 0
login authentication CONSOLE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TDMerton · ‎06-04-2023

nexus 9k doesn't have the options listed

nexus9(config)# line console 0

% Invalid command at '^' marker

only line console (without 0), however after that for login are only *** No matching command found in current mode, matching in (config) mode ***

on-failure Set options for failed login attempt and on-success Set options for successful login attempt