04-24-2023 05:33 AM
Hello,
I use a 9800 WLC on Esxi Server. WLC works fine i can do config via SSH.
I tried to do config from VM console. I loged in the wlc and run enable command on exec mode but "% Error in Authentication" error occurred.
Any idea for this issue?
04-24-2023 05:52 AM
Hello,
Sounds like no privilege. If you access the WLC using SH with that same user, can you run commnad ?
04-24-2023 05:54 AM
Hi Flavio,
Thanks for answer. Yes i can run enable command and other config commands when i connect SSH with same user.
04-24-2023 07:35 AM
If you are not using tacacs, then run this command:
username <username> privilege 15 password 7 <password>
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
04-24-2023 10:32 PM
Hi Flavio,
When i checked the running config there is a line
"username <username> privilege 15 password 0 <password>"
but when i tried to run "username <username> privilege 15 password 7 <password>" this command "Invalid encrypted password: " error occured.
05-17-2023 06:42 AM - edited 05-17-2023 06:44 AM
password 0 is followed by a plain text password.
password 7 is followed by a Cisco type 7 encrypted password (generated when you have "service password encryption" configured.
Type 7 is considered legacy and inherently insecure because they are very easily decrypted using numerous different apps and web sites.
For local users and enable you should be using a secret not a password and it should be type 8 or 9 (hash) as type 5 (md5) is also now considered insecure.
Take a look at:
https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238 and
https://media.defense.gov/2022/Feb/17/2002940795/-1/-1/1/CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF
Regarding your original problem: that suggests you have made a mistake with your aaa configuration. If you're using TACACS then read https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html
If you're only using local auth then the same principle applies but make sure your users have level 15 access as Flavio said.
For example:
aaa group server tacacs+ management
server name tacacs1 <- servers defined elsewhere in your config
server name tacacs2
ip tacacs source-interface GigabitEthernet0 <- replace with correct management interface
aaa authentication login ise_authentication group management local
aaa authorization exec ise_authorization group management local
line con 0
session-timeout 60
exec-timeout 15 0
authorization exec ise_authorization
login authentication ise_authentication
stopbits 1
In this example we use TACACS as primary authentication method with fallback to local.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide