No Access on Console to 9500

waschminator · ‎08-23-2024

Hello, i want to login into a cat9500 on the console.

does not matter what i do i am not able to get into pivileged mode. whatever config i put then (local authen tication etc.). the switch always tries to authorize via TACACS-server and this fails.

disabling tacacs on the console is the same. i can then use the line password or a local user...but when i try to authorize it it fails.

i understand that maybe on the console you shpuld not have access in the situation when erveything is up...but on cat 6880x the same config works.

any idea on that?

router>en
Username:admin
Password:
% Error in authentication.

thanks

MHM Cisco World · ‎08-23-2024

Try use

Privilege level 15

Under console and check

MHM

Gopinath_Pigili · ‎08-23-2024

Hello waschminator,

Please execute the following commands:

username <username> privilege 15 password 7 <password>

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

Best regards
******* If This Helps, Please Rate *******

waschminator · ‎08-26-2024

thx for reply. but we need TACACS as default authentication algorithm.

Gopinath_Pigili · ‎08-26-2024

ok..then create new list method and apply to conosle..

Please perform the following commands:

username <username> privilege 15 password 7 <password>

aaa new-model

aaa authentication login console_access_local local

Line console 0

aaa authentication console_access_local

Best regards
******* If This Helps, Please Rate *******

waschminator · ‎08-26-2024

i have done that but it does not work on catalyst 9500...obviously this platform works slightly different

Gopinath_Pigili · ‎08-26-2024

Hello waschminator,

aaa authentication login console_access_local local

Line console 0

login authentication console_access_local

Also Please find the documentation link of cat 9500 series switches...

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-11/configuration_guide/sec/b_1711_sec_9500_cg/configuring_authentication.html#how_to_configure_authentication

Best regards
******* If This Helps, Please Rate *******

Giuseppe Larosa · ‎08-23-2024

Hello @waschminator ,

you should use a dedicated aaa login list of methods for the console and then to apply it under the console

aaa authentication login CONSOLE local

line con 0

aaa authentication CONSOLE

Hope to help

Giuseppe

Richard Burts · ‎08-23-2024

My colleagues have made some good suggestions. I would like to back up a bit and to try to understand the environment. Can you post the current running config (with any sensitive information - public IPs, passwords, etc- disguised? Or if you do not want to share the whole config, would you post all parts of the config that relate to the console, to any user IDs, any authentication/authorization configuration?

HTH

Rick

waschminator · ‎08-26-2024

as also mentioned above...this method does not work on my cat9500...on cat 6880 it is fine

Giuseppe Larosa · ‎08-26-2024

Hello @waschminator ,

what is your aaa authorization configuration ?

As already suggested by @Richard Burts can you post the output of

show run | inc aaa

you cannot rely on a default authentication method that has tacacs+ as first method because in that case tacacs+ would be checked first and this would prevent you from using a locally defined username/password pair.

Then also the aaa authorization configuration is important

Hope to help

Giuseppe

MHM Cisco World · ‎08-26-2024

Friend did you add

Privilege level 15

Under console as I suggest?

MHM

paul driver · ‎08-26-2024

Hello

@waschminator wrote:
as also mentioned above...this method does not work on my cat9500...on cat 6880 it is fine

Please share the AAA cfg for that switch, suggestions are being provided but you are not sharing the results apart from "it does not work".

sh run | in aaa
sh run | sec line

Also regards @Giuseppe Larosa suggestion, is the authorization command applicable?

Edited-
line con 0
authorization exec CONSOLE
privilege level 15
login authentication CONSOLE

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

waschminator · ‎08-26-2024

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0
password XXXXXXX
login authentication CONSOLE

MHM Cisco World · ‎08-26-2024

aaa authentication login CONSOLE line <<- this why authz is failed you use line password for authc but you dont config level under the console so authz failed
do what I suggest before and check

MHM