09-08-2014 10:03 AM - edited 03-07-2019 08:40 PM
Hello. I have a Catalyst 3750, that I am configuring. I've enabled AAA new-model and configured an aaa authentication group for logging on to the Console and SSH.
When I log on to either (SSH or the Console), I've noticed that though the switch prompts for a username simply typing in the enable password will grant me access to the switch. If I type in some random characters for the username then type in the enable password, it will allow me in.
(Typing in the username and password of a user that is configured on the switch will get me in as well)
Is there a way to correct this so a proper username and password is needed to log in, and not just the enable password?
09-08-2014 11:52 AM
Can you provide me the output of
#show running-config
09-08-2014 12:12 PM
Sure. Here you go!
!
! Last configuration change at 22:15:35 EST Fri Apr 15 2011 by l;klj
! NVRAM config last updated at 23:52:25 EST Fri Apr 15 2011 by netadmin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CORE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 alksdj;ajkdj
!
username netadmin privilege 15 secret 5 alksdj;ajdj
aaa new-model
!
!
aaa authentication login default local enable
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
no ip icmp rate-limit unreachable DF
!
!
!
ip domain-name Domain.local
ip device tracking
login block-for 60 attempts 5 within 30
login on-failure log
!
!
crypto pki trustpoint TP-self-signed-3938373120
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3938373120
revocation-check none
rsakeypair TP-self-signed-3938373120
!
!
crypto pki certificate chain TP-self-signed-3938373120
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 1-1005
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
!
!
!
!
<interfaces removed for brevity>
interface Vlan1
no ip address
!
interface VlanX
description Management Interface
ip address 192.168.x.10 255.255.255.0
!
ip default-gateway 192.168.x.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
!
!
!
!
!
!
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end
09-10-2014 10:42 AM
Anyone? Is this something that can be closed up? Right now, I can randomly choose a username, and as long as I know the enable password, I am able to log in.
09-23-2014 07:03 AM
Others having this issue: It was caused by this statement:
aaa authentication login default local enable
I had to remove the "Enable" at the end so it read
aaa authentication login default local
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide