cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1951
Views
1
Helpful
36
Replies

No Access on Console to 9500

waschminator
Level 1
Level 1

Hello, i want to login into a cat9500 on the console. 

does not matter what i do i am not able to get into pivileged mode. whatever config i put then (local authen tication etc.). the switch always tries to authorize via TACACS-server and this fails. 

disabling tacacs on the console is the same. i can then use the line password or a local user...but when i try to authorize it it fails.

i understand that maybe on the console you shpuld not have access in the situation when erveything is up...but on cat 6880x the same config works.

any idea on that?

router>en
Username:admin
Password:
% Error in authentication.

 

 

thanks

36 Replies 36

you are perfectyl right...

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0
privilege level 15
password XXXXXXX
login authentication CONSOLE

-->works

-->this does not work (when trying to access the device with the normal tacacs user on the console)

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

 

whereas on cat 6880 this config works (also doesn not work on cat9500...this is confusing me).

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver
!

line con 0
password XXXXXXX



 

 

login authentication CONSOLE <<- in 6800 you use default method for authc but in new c9500 you specify method CONSOLE that why SW not check tacacs for authc

MHM

even if i remove the CONSOLE method on the cat 9500...it doesn not work. this is were i am coming from....before we had cat 6500...it was lifecycled. config remained. but console did not work anymore

 

so this config works on cat 6880 but not on cat 9500

R1#show startup-config | include aaa
aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication login CONSOLE line
aaa authentication enable default group loginserver enable
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

R1#show startup-config | section line

line con 0
stopbits 1

Same this config dont change anything except add below 

aaa authorization console <<- this in global mode not under line console 

Then try access use tacacs user.

MHM

Please take you time 

Share config you want to apply to console before ypu apply it let me check it

Dont WR until you so sure the config work and you can access to SW

MHM

waschminator
Level 1
Level 1

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication enable default group loginserver enable
aaa authorization console
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0
privilege level 15
stopbits 1

-->does not work

 

try below and dont wr before check config 

aaa authentication attempts login 2
aaa authentication login default group loginserver local-case
aaa authentication enable default group loginserver enable
aaa authorization console
aaa authorization exec default group loginserver local if-authenticated
aaa accounting exec default start-stop group loginserver
aaa accounting connection default start-stop group loginserver

line con 0

login authentication default 
authorization exec default 
privilege level 15
stopbits 1

it seems the config under line con 0 is default

 

line con 0
motd-banner
exec-banner
exec-timeout 10 0
timeout login response 30
privilege level 1
no media-type rj45 switch 1
no media-type rj45 switch 2
no media-type rj45 switch 3
no media-type rj45 switch 4
no media-type rj45 switch 5
no media-type rj45 switch 6
authorization exec default
accounting exec default
login authentication default
data-character-bits 8

instead the show run:

show running-config | section line


line con 0
stopbits 1

Yes friend it defualt but you change it in one step during troubleshooting' 

So it not appear in show run but appear in show run all 

So now with this config I think you can access using tacacs user 

MHM

ups sorry. i did not mention it specifically....but if the config is in the defualt it is there all the time.

anyway..it does not work with the setup above

 

Hello @waschminator 
So based on that AAA configuration, its being applied to all your VTY/Console lines, so you need to bypass this with a new aaa policy specifically to the line console 0 to bypass group authentication and allow for local database authentication ONLY

example:
aaa authentication login CONSOLE local-case
aaa authorization exec CONSOLE local if-authenticated

line console 0
authorization exec CONSOLE
login authentication CONSOLE


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yes this also works...but not with a tacacs-user. only line password (or probably local user...i did not test that)

 

Hello @waschminator ,

I don't see the need to use a TACACS+ user on the console line.  The usual logic is that you go to the console when really needed that is the device is isolated or there are network issues. For this reason the suggestion to use  a different method for authentication and authorization ( thanks to @paul driver ).

Hope to help

Giuseppe

 

 

Hello


@waschminator wrote:
yes this also works...but not with a tacacs-user. only line password (or probably local user...i did not test that)

It will NOT work for a tacacs user , as it bypassing taccas and using local D/B user access that is what you requested correct?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

no...what i wanted to do are 2 things:

  1. login into the console under normal circumstances with TACACS-User and password
  2. in case of issues just use the console password

otherwise we have a full user-based authentication environment but in theory you could access the device just with a password (security gap). 

i concentrated now on the console password first because even this did not work with the classical config on cat68k. but 2nd goal is clearly to login with TACACS-user.

sorry for confusion, but honestly i though when i am able to login with line password, also tacacs-user will work. 

 

 

Review Cisco Networking for a $25 gift card