Re: No Access on Console to 9500 - Page 3

waschminator · ‎08-23-2024

Hello, i want to login into a cat9500 on the console.

does not matter what i do i am not able to get into pivileged mode. whatever config i put then (local authen tication etc.). the switch always tries to authorize via TACACS-server and this fails.

disabling tacacs on the console is the same. i can then use the line password or a local user...but when i try to authorize it it fails.

i understand that maybe on the console you shpuld not have access in the situation when erveything is up...but on cat 6880x the same config works.

any idea on that?

router>en
Username:admin
Password:
% Error in authentication.

thanks

waschminator · ‎08-27-2024

i am not sure if it is a bug...or a change in the behaviour. with software 17.3.3 it simply works as always. with 17.9.4.a we need this "pivilege 15" under "line con 0" and the tacacs-user does not work in general

MHM Cisco World · ‎08-27-2024

I see this issue multi time and even cisco employer can not solve it.

So

As workaround

Use

Login authentication defualt <<- authc by tacacs user

Privilege level 15 <<- local authz give level 15 immediately

Try above.

Thanks alot

MHM

waschminator · ‎08-27-2024

i tried this too...does not work with TACACS User then

MHM Cisco World · ‎08-27-2024

Use below commands only no authz

Login authentication defualt <<- authc by tacacs user

Privilege level 15 <<- local authz give level 15 immediately

MHM

paul driver · ‎08-27-2024

Hello

@waschminator wrote:

ogin into the console under normal circumstances with TACACS-User and password

in case of issues just use the console password

This is applicable

example:
aaa authentication login CONSOLE group loginserver line
aaa authorization exec CONSOLE group loginserver none

line console 0
authorization exec CONSOLE
login authentication CONSOLE
privilege level 15
password xxxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

waschminator · ‎08-27-2024

it does not work.

additional information:

R1(config-line)#authorization exec CONSOLE
%Authorization without the global command 'aaa authorization console' is useless

so i have confiigured 'aaa authorization console' too. but anyway i can not get in

paul driver · ‎08-27-2024

Hello

@waschminator wrote:

it does not work.

additional information:

CHU-SDR1(config-line)#authorization exec CONSOLE
%Authorization without the global command 'aaa authorization console' is useless

so i have confiigured 'aaa authorization console' too. but anyway i can not get in

Be careful here.... ,

The aaa statement i created was manually named CONSOLE however there is also a default authorization statement the two are totally separate

aaa authorization exec CONSOLE group loginserver none <---i created
aaa authorization console -- < aaa default

so for clarity........

aaa authentication login CONSOLE_NEW group loginserver line
aaa authorization exec CONSOLE_NEW group loginserver none

line console 0
authorization exec CONSOLE_NEW
login authentication CONSOLE_NEW
privilege level 15
password xxxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul