Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
4
Replies

Question regarding logging onto Catalyst

J W
Level 1
Level 1

‎09-08-2014 10:03 AM - edited ‎03-07-2019 08:40 PM

Hello. I have a Catalyst 3750, that I am configuring. I've enabled AAA new-model and configured an aaa authentication group for logging on to the Console and SSH.

 

When I log on to either (SSH or the Console), I've noticed that though the switch prompts for a username simply typing in the enable password will grant me access to the switch. If I type in some random characters for the username then type in the enable password, it will allow me in. 

(Typing in the username and password of a user that is configured on the switch will get me in as well)

Is there a way to correct this so a proper username and password is needed to log in, and not just the enable password?

Labels:
0 Helpful
4 Replies 4

habedin
Level 1
Level 1

‎09-08-2014 11:52 AM

Can you provide me the output of

 

#show running-config

0 Helpful

J W
Level 1
Level 1
In response to habedin

‎09-08-2014 12:12 PM

Sure. Here you go!

 


!
! Last configuration change at 22:15:35 EST Fri Apr 15 2011 by l;klj
! NVRAM config last updated at 23:52:25 EST Fri Apr 15 2011 by netadmin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CORE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 alksdj;ajkdj
!
username netadmin privilege 15 secret 5 alksdj;ajdj
aaa new-model
!
!
aaa authentication login default local enable
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
no ip icmp rate-limit unreachable DF
!
!
!
ip domain-name Domain.local
ip device tracking
login block-for 60 attempts 5 within 30
login on-failure log
!
!
crypto pki trustpoint TP-self-signed-3938373120
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3938373120
 revocation-check none
 rsakeypair TP-self-signed-3938373120
!
!
crypto pki certificate chain TP-self-signed-3938373120
 certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 1-1005
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!

!
!
!
!
!

<interfaces removed for brevity>


interface Vlan1
 no ip address
!
interface VlanX
 description Management Interface
 ip address 192.168.x.10 255.255.255.0
!
ip default-gateway 192.168.x.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
!
!
!
!
!
!
!
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
end

0 Helpful

J W
Level 1
Level 1
In response to J W

‎09-10-2014 10:42 AM

Anyone? Is this something that can be closed up? Right now, I can randomly choose a username, and as long as I know the enable password, I am able to log in.

0 Helpful

J W
Level 1
Level 1
In response to J W

‎09-23-2014 07:03 AM

Others having this issue: It was caused by this statement:


aaa authentication login default local enable

 

I had to remove the "Enable" at the end so it read


aaa authentication login default local

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card