Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
2
Replies

Enable password stopped authenticating

Go to solution
douglas.mckee
Level 1
Level 1

‎09-17-2010 12:43 PM - edited ‎03-10-2019 05:25 PM

A switch that I've been accessing just fine for the last 9 months stopped authenticating using the enable password. The switch displays the enable password prompt but doesn't accept the password I set originally.

Solution: Called primary network engineer of our network and started authenticating using AAA and TACACS+ within 3 minutes

Question1: What could have prevented the enable password from working besides changing the enable password or AAA default on the switch itself?

Question2: The main network engineer and I didn't have physical access to the switch 300 miles away. Why would he be able to access the same switch through telnet but not myself?

Regards,

Doug

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎09-20-2010 07:00 AM

Hi Douglas,

Theres only a few things that I can see causing this to not work (this is assuming it is supposed to be pointed at a Tacacs+ server).

1) "aaa authentication enable" command on IOS device was not pointed at the Tacacs+ server - if someone deleted it or changed it it could have pointed to a local password on the switch.

2) On ACS your user account can be set to have a different enable password than normal login password - so if that option became enabled then it could have been looking for a password that you weren't expecting. Were there any failures on the ACS logs around those times?

As far as why he could get access, if he has "aaa authorization exec" configured on the switch then the ACS can be set to dynamically assign privilege levels, so after he logs in he gets put directy into enable mode without having to enter "enable" and another password.

Thanks,

Nate

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎09-20-2010 07:00 AM

Hi Douglas,

Theres only a few things that I can see causing this to not work (this is assuming it is supposed to be pointed at a Tacacs+ server).

1) "aaa authentication enable" command on IOS device was not pointed at the Tacacs+ server - if someone deleted it or changed it it could have pointed to a local password on the switch.

2) On ACS your user account can be set to have a different enable password than normal login password - so if that option became enabled then it could have been looking for a password that you weren't expecting. Were there any failures on the ACS logs around those times?

As far as why he could get access, if he has "aaa authorization exec" configured on the switch then the ACS can be set to dynamically assign privilege levels, so after he logs in he gets put directy into enable mode without having to enter "enable" and another password.

Thanks,

Nate

0 Helpful

Go to solution
douglas.mckee
Level 1
Level 1
In response to Nate Austin

‎09-20-2010 10:35 AM

Nate,

Thank you for a quick and accurate response.

Doug

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents