Concentrator administration access locked out?

Answered Question
Jul 13th, 2007
User Badges:

This is really weird, same username and same password when connecting to the concentrator via console cable, yet... When connecting to it via http/https and using the SAME username and password, its coming up saying that its a badlogin. =**[ Very confusing... Any help is much appreciated!

Correct Answer by ggilbert about 9 years 11 months ago

Shuan,

Couple of things to check - since you have console access.


Make sure you have http/https access is enabled.


It should be under the management protocols section.


Also make sure that on the interface level, the HTTP/HTTPS access is enabled on the interface you are trying to access.


Third, see if the rules are applied to the filter which is configured on the interface.


Fourth, if you are doing AAA authentication for admin access, see if you can disable that and test it out.


Thanks

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
shaun-murray Fri, 07/13/2007 - 10:56
User Badges:

Telnet is disabled... But SSH isn't. However, the normal username and password still are not working this way as well....

Richard Burts Sat, 07/14/2007 - 16:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shaun


I wonder if the problem is the source address rather than being a problem with the user ID or with the password? I know that the concentrator can be configured with certain address ranges from which it will accept administrative login. I wonder if the address you are coming from is not in the allowed range?


HTH


Rick

shaun-murray Mon, 07/16/2007 - 06:48
User Badges:

I'll take a look see at that. Sounds like a good idea... From the console connection, where can I look at that? I'm very familiar with the http configuration, but the console configuration... *shrug* I've zapped a 3002 before, and it was a loooong drive. I'd rather not zap the 3000... LoL!


Like I mentioned, its working... Just unmanageable. =**[ Thanks for the input! I'll defiantly look into that.

Richard Burts Mon, 07/16/2007 - 08:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shaun


I agree that the console based interface is kind of awkward. But thank goodness it exists as an alternative.


Here is how to get to the access restriction for administrators. I include a step here to find what group the administrative login belongs to. If you know that then you can skip that step.

Console interface:

login

choose (2) Administration

choose (7) Access Rights

choose (1) Administrators [to verify group for the ID - optional if you need it]

look at the list, find the ID you are using, verify what group it belongs to

choose (2) back [to return to Access Rights]

choose (2) Access Control List

this will display the current restrictions showing address, mask, and group.

there are options to add, modify, or delete. choose the option that you need. make any change that you need.

then back your way out through the menu system


HTH


Rick

shaun-murray Tue, 07/17/2007 - 07:24
User Badges:

Well... There is no addresses/accounts that have been explicitly (sp?) denied. But I went ahead and added my computers IP information to the admin group, but... When I tried to login via http, I still get this error....


44159 07/17/2007 10:22:04.540 SEV=3 HTTP/7 RPT=19 10.90.1.6

HTTP 401 Unauthorized: Authorization Failed





Which still baffles me. My IP is set as an administration source, using the SAME username and password when trying to login to HTTP, and console. Works for console, but same u/p for HTTP is giving me a 401 error. BLAH! LoL! I'll play around with it... TIA!

Correct Answer
ggilbert Tue, 07/17/2007 - 07:39
User Badges:
  • Cisco Employee,

Shuan,

Couple of things to check - since you have console access.


Make sure you have http/https access is enabled.


It should be under the management protocols section.


Also make sure that on the interface level, the HTTP/HTTPS access is enabled on the interface you are trying to access.


Third, see if the rules are applied to the filter which is configured on the interface.


Fourth, if you are doing AAA authentication for admin access, see if you can disable that and test it out.


Thanks

Gilbert

shaun-murray Tue, 07/17/2007 - 10:07
User Badges:

AAA Authentication was the issue. A TACAS+ server and information was put in there (by...? LoL!) On the TACAS+ server... The concentrator wasn't configured yet. So ripping out that info, I was able to get in no worries.


Weird that the TACAS+ prevented me from using the HTTP/HTTPS configuration, but consoling into the 3000 worked like a champ. *shrug*


Thanks for everyone's help!!!! =D

Actions

This Discussion