Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
0
Helpful
7
Replies

Stack of 2960s - access through console only through master

katerina.dardoufa
Level 4
Level 4

‎12-11-2018 02:00 AM - edited ‎03-08-2019 04:47 PM

Hello all,

 

we have a number of 2960S switches, connected in pairs, forming different stacks. We have enabled AAA. When using the console, we want to login using the local database. What we noticed is that when we connect through the console of the master switch we are able to login to the switch. When we try to connect through the console of the standby switch, authorization fails.

 

Bellow is the configuration

aaa authentication login AUTHISE group TACACS-ISE local
aaa authentication login CON local
aaa authorization console
aaa authorization config-commands
aaa authorization exec AUTHISE group TACACS-ISE if-authenticated
aaa authorization exec CON none
aaa authorization commands 1 AUTHISE group TACACS-ISE local if-authenticated
aaa authorization commands 5 AUTHISE group TACACS-ISE local if-authenticated
aaa authorization commands 15 AUTHISE group TACACS-ISE local if-authenticated
aaa accounting exec AUTHISE start-stop group TACACS-ISE
aaa accounting commands 5 AUTHISE start-stop group TACACS-ISE
aaa accounting commands 15 AUTHISE start-stop group TACACS-ISE

 

line con 0
 authorization exec CON
 logging synchronous
 login authentication CON

 

The workaround we have found is using the AAA server as the first option and if that fails, to revert to the local database.

aaa authentication login CON group TACACS-ISE local

 

In this case we connect to the standby console port, via authentication through the ISE server. If the ISE server is unavailable, we authenticate via the local database.

 

So, what is the issue that prevents us from connecting through the standby console when only using the local database?

 

 

Could anyone please help solve this issue?

 

Thanks in advance,

Katerina

Labels:
0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎12-11-2018 02:28 AM

 

- Did you try standby console enable ; on the master , albeit from command or in IOS configuration ?

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to marce1000

‎12-11-2018 05:42 AM

Hello Marce,

 

I found the command on another post, but it does not seem to be supported.

I am running IOS Version 12.2(55r)SE.

 

Thanks!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎12-11-2018 06:27 AM

Katerina

 

In your original post you indicate that the problem is that authorization fails. But apparently your work around is a change in authentication. Can you clarify whether the issue was really with authorization or with authentication?

 

When there are problems with authorization with a fall back method I have found it helpful to include the if-authorized parameter in the aaa authorization command.

 

HTH

 

Rick

 

HTH

Rick
0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to Richard Burts

‎12-11-2018 06:55 AM

As i recall the message stated “authorization failed”. I will test with the lab and update the post. What exactly is the config you recommend? The problem is only with the console port of the second member. Authentication and authorization of the master function properly, without changes to the initial config.
0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to katerina.dardoufa

‎12-12-2018 12:20 AM

Hi!

I checked the behavior again. When I connect to the console of the second switch and use local database credentials to login, the message I get is "Authorization Failed". When I try to authenticate using the ISE credentials (AAA authentication), I get the message "Authentication Failed".

 

Thanks!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to katerina.dardoufa

‎12-12-2018 07:15 AM

Katerina

 

It is interesting that the error does indicate the problem is with authorization. It occurs to me that there is a different approach to this issue that might be better. By default Cisco does not do authorization on the console. You must explicitly enable authorization on the console. The config info that you posted does show that you explicitly enable authorization on the console, and then are attempting to say that authorization for the console is none. My suggestion is to simply remove the command that enables authorization on the console. 

 

HTH

 

Rick

HTH

Rick
0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to Richard Burts

‎12-13-2018 03:24 AM

No change...

The interesting thing is that the problem occurs only when the console is connected to the second member of the stack. The master functions as expected. That is why I am starting to believe that there is something wrong with the way the stack is implemented by Cisco...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card