Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
5
Replies

9800 WLC VM Console stuck on Exec Mode

kdemir
Level 1
Level 1

‎04-24-2023 05:33 AM

Hello,

I use a 9800 WLC on Esxi Server.  WLC works fine i can do config via SSH.

I tried to do config from VM console. I loged in the wlc and run enable command on exec mode but "% Error in Authentication" error occurred.

Any idea for this issue?

0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎04-24-2023 05:52 AM

Hello,

 Sounds like no privilege. If you access the WLC using SH with that same user, can you run commnad ?

0 Helpful

kdemir
Level 1
Level 1
In response to Flavio Miranda

‎04-24-2023 05:54 AM

Hi Flavio,

Thanks for answer. Yes i can run enable command and other config commands when i connect SSH with same user. 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to kdemir

‎04-24-2023 07:35 AM

 If you are not using tacacs, then run this command:

username <username> privilege 15 password 7 <password>

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

0 Helpful

kdemir
Level 1
Level 1

‎04-24-2023 10:32 PM

Hi Flavio,

When i checked the running config there is a line

"username <username> privilege 15 password 0 <password>"

but when i tried to run "username <username> privilege 15 password 7 <password>" this command "Invalid encrypted password: " error occured.

0 Helpful

Rich R
VIP
VIP
In response to kdemir

‎05-17-2023 06:42 AM - edited ‎05-17-2023 06:44 AM

password 0 is followed by a plain text password.
password 7 is followed by a Cisco type 7 encrypted password (generated when you have "service password encryption" configured.
Type 7 is considered legacy and inherently insecure because they are very easily decrypted using numerous different apps and web sites.
For local users and enable you should be using a secret not a password and it should be type 8 or 9 (hash) as type 5 (md5) is also now considered insecure.
Take a look at: 
https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238 and
https://media.defense.gov/2022/Feb/17/2002940795/-1/-1/1/CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF

Regarding your original problem: that suggests you have made a mistake with your aaa configuration.  If you're using TACACS then read https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

If you're only using local auth then the same principle applies but make sure your users have level 15 access as Flavio said.

For example:
aaa group server tacacs+ management
 server name tacacs1 <- servers defined elsewhere in your config
 server name tacacs2
 ip tacacs source-interface GigabitEthernet0 <- replace with correct management interface
aaa authentication login ise_authentication group management local
aaa authorization exec ise_authorization group management local
line con 0
 session-timeout 60
 exec-timeout 15 0
 authorization exec ise_authorization
 login authentication ise_authentication
 stopbits 1

In this example we use TACACS as primary authentication method with fallback to local.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card