Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3655
Views
0
Helpful
4
Replies

Local authentication failure

luiz.alexandre.paiva
Level 1
Level 1

‎03-31-2010 07:55 AM - edited ‎03-10-2019 05:02 PM

Hi,

We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?

Here is the AAA config template:

enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX

aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common

ip tacacs source-interface Vlan2

tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX

line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27

Thanks,

Luiz

Labels:
0 Helpful
4 Replies 4

Rodrigo Gurriti
Level 3
Level 3

‎04-01-2010 12:56 PM

Luiz,

Dentro do seu "line console 0" digite aaa authentication "GROUP" ou "default"

Da mesma forma no seu telnet ou ssh vty

Outra coisa, nao esqueca que se voce botar um espaco no final da sua senha ela tera um espaco, ex: "passWord "

Inside your "line console 0" type aaa authentication "GROUP" or"default"

The same way in your telnet or ssht vty

Don't forget that if you put a space on the end of you password it needs to be typed as the ex: "passWord "

BTW you have redundant line for login, i'd do the following way

Voce tem uma linha redudante para o login, eu faria desta forma abaixo

aaa authentication password-prompt "Password local: "
aaa  authentication username-prompt "Username local: "

aaa authentication login default group AuthenticationTacacs local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization  config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs

Outra maneira, ela somente ira autenticar no console, pois o grupp nao e maneira "default" de autenticacao do equipamento logo vc precisa aplicar em algum lugar

Here is an other way, its authentication only for the console whitch isnt the default way to authenticate and you need to apply some where

aaa authentication login CONSOLE local

line console 0

aaa authentication CONSOLE

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎04-02-2010 09:13 AM 

Hi,
We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?
Here is the AAA config template:
enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX
aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common
ip tacacs source-interface Vlan2
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX
line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27
Thanks,
Luiz
Hi Luiz,
Configuration for authentication need to  be done under line con as suggested and check out the below link for configuratio on AAA server configuration.
http://www9.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml
Hope to help !!
Ganesh.H
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
                
                    
        

	
	

		
	

	


		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
	


		

	

		

			

	
		

			
		
			
			
		
		
	
		

	
	


		

	

		

			

	
		

			
		
			

	
			
					Richard Burts
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		Hall of Fame
		
			
		
		
		
		
		
		
		
		
	
			
		

		
			
					
		

			Hall of Fame
		

	
				
		
			
					

	
		In response to Ganesh Hariharan
	
	


				
		
	
		

	
	


		

			

	
		
			
		
			
					
		

			
    

	
		
		
		‎04-07-2010
	
		
		02:33 PM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		

	
		

			
				
					
					
						
The suggestions about configuring authentication on the console might make more sense if the problem were not getting into user mode. But if I understand the original post from Luiz he says that they can get into user mode but can not get into enable mode. If my understanding is not correct then I hope that Luiz will correct me.
I wonder if the problem might be that you are not using the right enable secret when you attempt to get into enable mode. I would suggest that you configure the router with a new, and very simple enable secret. Then the next time that you can not communicate with the server try using the simple enable secret and see if that works.
HTH
Rick

					
				
			
			
				

	HTH

Rick


			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
                
                    
        

	
	

		
	

	


		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
	


		

	

		

			

	
		

			
		
			
			
		
		
	
		

	
	


		

	

		

			

	
		

			
		
			

	
			
					luiz.alexandre.paiva
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		
		
			
		
		
		Level 1
		
		
		
		
		
	
			
		

		
			
					
		

			Level 1
		

	
				
		
			
					

	
		In response to Richard Burts
	
	


				
		
	
		

	
	


		

			

	
		
			
		
			
					
		

			
    

	
		
		
		‎04-08-2010
	
		
		11:42 AM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		

	
		

			
				
					
					
						
Hi, first of all thanks for the answers and wehave two situations
:
When loose connectivity to AAA servers at console we can't access, shows user and password screen but doesn't authenticate, and when telnet to the equipment reach the user level, but not at enable level.
We tryed enable secret as "cisco", enable password as the same but still doesn't work.
Tryed to use "username user privilege 15 secret {XXXXXXX}" and goes only at user level.
As far as I understood this is a matter of better configuring console and line vty ports, but my problem now is that regarding IOS versions because at some equipments it doesn't support the exact commands as I need.

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
        
    

    
        


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


    
    
        
        
            
        
        
	
    

	

	

	

	

	



				
			
		
		
	
	


		

			

	
		

			
		
			
 
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


 

		
	
		

	
	

	
		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents