cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
4
Replies

Question regarding logging onto Catalyst

J W
Beginner
Beginner

Hello. I have a Catalyst 3750, that I am configuring. I've enabled AAA new-model and configured an aaa authentication group for logging on to the Console and SSH.

 

When I log on to either (SSH or the Console), I've noticed that though the switch prompts for a username simply typing in the enable password will grant me access to the switch. If I type in some random characters for the username then type in the enable password, it will allow me in. 

(Typing in the username and password of a user that is configured on the switch will get me in as well)

Is there a way to correct this so a proper username and password is needed to log in, and not just the enable password?

4 Replies 4

habedin
Beginner
Beginner

Can you provide me the output of

 

#show running-config

Sure. Here you go!

 


!
! Last configuration change at 22:15:35 EST Fri Apr 15 2011 by l;klj
! NVRAM config last updated at 23:52:25 EST Fri Apr 15 2011 by netadmin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CORE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 alksdj;ajkdj
!
username netadmin privilege 15 secret 5 alksdj;ajdj
aaa new-model
!
!
aaa authentication login default local enable
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
no ip icmp rate-limit unreachable DF
!
!
!
ip domain-name Domain.local
ip device tracking
login block-for 60 attempts 5 within 30
login on-failure log
!
!
crypto pki trustpoint TP-self-signed-3938373120
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3938373120
 revocation-check none
 rsakeypair TP-self-signed-3938373120
!
!
crypto pki certificate chain TP-self-signed-3938373120
 certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 1-1005
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!

!
!
!
!
!

<interfaces removed for brevity>


interface Vlan1
 no ip address
!
interface VlanX
 description Management Interface
 ip address 192.168.x.10 255.255.255.0
!
ip default-gateway 192.168.x.1
ip forward-protocol nd
!
ip http server
ip http secure-server
!
!
!
!
!
!
!
!
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
end

Anyone? Is this something that can be closed up? Right now, I can randomly choose a username, and as long as I know the enable password, I am able to log in.

Others having this issue: It was caused by this statement:


aaa authentication login default local enable

 

I had to remove the "Enable" at the end so it read


aaa authentication login default local

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers