Enable password stopped authenticating

Answered Question
Sep 17th, 2010
User Badges:

A switch that I've been accessing just fine for the last 9 months stopped authenticating using the enable password. The switch displays the enable password prompt but doesn't accept the password I set originally.


Solution: Called primary network engineer of our network and started authenticating using AAA and TACACS+ within 3 minutes


Question1: What could have prevented the enable password from working besides changing the enable password or AAA default on the switch itself?


Question2: The main network engineer and I didn't have physical access to the switch 300 miles away. Why would he be able to access the same switch through telnet but not myself?


Regards,


Doug

Correct Answer by Nathaniel Austin about 6 years 8 months ago

Hi Douglas,


Theres only a few things that I can see causing this to not work (this is assuming it is supposed to be pointed at a Tacacs+ server).


1) "aaa authentication enable" command on IOS device was not pointed at the Tacacs+ server - if someone deleted it or changed it it could have pointed to a local password on the switch.


2) On ACS your user account can be set to have a different enable password than normal login password - so if that option became enabled then it could have been looking for a password that you weren't expecting. Were there any failures on the ACS logs around those times?


As far as why he could get access, if he has "aaa authorization exec" configured on the switch then the ACS can be set to dynamically assign privilege levels, so after he logs in he gets put directy into enable mode without having to enter "enable" and another password.


Thanks,


Nate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nathaniel Austin Mon, 09/20/2010 - 07:00
User Badges:
  • Cisco Employee,

Hi Douglas,


Theres only a few things that I can see causing this to not work (this is assuming it is supposed to be pointed at a Tacacs+ server).


1) "aaa authentication enable" command on IOS device was not pointed at the Tacacs+ server - if someone deleted it or changed it it could have pointed to a local password on the switch.


2) On ACS your user account can be set to have a different enable password than normal login password - so if that option became enabled then it could have been looking for a password that you weren't expecting. Were there any failures on the ACS logs around those times?


As far as why he could get access, if he has "aaa authorization exec" configured on the switch then the ACS can be set to dynamically assign privilege levels, so after he logs in he gets put directy into enable mode without having to enter "enable" and another password.


Thanks,


Nate

Actions

This Discussion

Related Content