Re: No Access on Console to 9500 - Page 2

waschminator · ‎08-23-2024

Hello, i want to login into a cat9500 on the console.

does not matter what i do i am not able to get into pivileged mode. whatever config i put then (local authen tication etc.). the switch always tries to authorize via TACACS-server and this fails.

disabling tacacs on the console is the same. i can then use the line password or a local user...but when i try to authorize it it fails.

i understand that maybe on the console you shpuld not have access in the situation when erveything is up...but on cat 6880x the same config works.

any idea on that?

router>en
Username:admin
Password:
% Error in authentication.

thanks

waschminator · ‎08-26-2024

you are perfectyl right...

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0
privilege level 15
password XXXXXXX
login authentication CONSOLE

-->works

-->this does not work (when trying to access the device with the normal tacacs user on the console)

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

whereas on cat 6880 this config works (also doesn not work on cat9500...this is confusing me).

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver
!

line con 0
password XXXXXXX

MHM Cisco World · ‎08-26-2024

login authentication CONSOLE <<- in 6800 you use default method for authc but in new c9500 you specify method CONSOLE that why SW not check tacacs for authc

MHM

waschminator · ‎08-26-2024

even if i remove the CONSOLE method on the cat 9500...it doesn not work. this is were i am coming from....before we had cat 6500...it was lifecycled. config remained. but console did not work anymore

so this config works on cat 6880 but not on cat 9500

R1#show startup-config | include aaa
aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

R1#show startup-config | section line

line con 0
stopbits 1

MHM Cisco World · ‎08-26-2024

Same this config dont change anything except add below

aaa authorization console <<- this in global mode not under line console

Then try access use tacacs user.

MHM

MHM Cisco World · ‎08-26-2024

Please take you time

Share config you want to apply to console before ypu apply it let me check it

Dont WR until you so sure the config work and you can access to SW

MHM

waschminator · ‎08-26-2024

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication enable default group loginserver enable
aaa authorization console
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0
privilege level 15
stopbits 1

-->does not work

MHM Cisco World · ‎08-26-2024

try below and dont wr before check config

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication enable default group loginserver enable
aaa authorization console
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0

login authentication default
authorization exec default
~~privilege level 15~~
stopbits 1

waschminator · ‎08-26-2024

it seems the config under line con 0 is default

line con 0
motd-banner
exec-banner
exec-timeout 10 0
timeout login response 30
privilege level 1
no media-type rj45 switch 1
no media-type rj45 switch 2
no media-type rj45 switch 3
no media-type rj45 switch 4
no media-type rj45 switch 5
no media-type rj45 switch 6
authorization exec default
accounting exec default
login authentication default
data-character-bits 8

instead the show run:

show running-config | section line

line con 0
stopbits 1

MHM Cisco World · ‎08-26-2024

Yes friend it defualt but you change it in one step during troubleshooting'

So it not appear in show run but appear in show run all

So now with this config I think you can access using tacacs user

MHM

waschminator · ‎08-26-2024

ups sorry. i did not mention it specifically....but if the config is in the defualt it is there all the time.

anyway..it does not work with the setup above

paul driver · ‎08-26-2024

Hello @waschminator
So based on that AAA configuration, its being applied to all your VTY/Console lines, so you need to bypass this with a new aaa policy specifically to the line console 0 to bypass group authentication and allow for local database authentication ONLY

example:
aaa authentication login CONSOLE local-case
aaa authorization exec CONSOLE local if-authenticated

line console 0
authorization exec CONSOLE
login authentication CONSOLE

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

waschminator · ‎08-26-2024

yes this also works...but not with a tacacs-user. only line password (or probably local user...i did not test that)

Giuseppe Larosa · ‎08-26-2024

Hello @waschminator ,

I don't see the need to use a TACACS+ user on the console line. The usual logic is that you go to the console when really needed that is the device is isolated or there are network issues. For this reason the suggestion to use a different method for authentication and authorization ( thanks to @paul driver ).

Hope to help

Giuseppe

paul driver · ‎08-26-2024

Hello

@waschminator wrote:
yes this also works...but not with a tacacs-user. only line password (or probably local user...i did not test that)

It will NOT work for a tacacs user , as it bypassing taccas and using local D/B user access that is what you requested correct?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

waschminator · ‎08-27-2024

no...what i wanted to do are 2 things:

login into the console under normal circumstances with TACACS-User and password
in case of issues just use the console password

otherwise we have a full user-based authentication environment but in theory you could access the device just with a password (security gap).

i concentrated now on the console password first because even this did not work with the classical config on cat68k. but 2nd goal is clearly to login with TACACS-user.

sorry for confusion, but honestly i though when i am able to login with line password, also tacacs-user will work.