Enable error in SSH

Answered Question
Jan 5th, 2014
User Badges:

Hi All,


I have a Cisco 2970. I have set it up so that I can login to the switch with SSH and the connection is allowed. The error or issue I am having is that I cannot run enable. When I try to run Enable, I get the following result:



C2970>enable

% Error in authentication.



It also doesn't prompt me for the password, which is add because I have it set for that user and for enable, or I I think I did it correctly. Any ideas on what i might have missed?


Thank you!






Correct Answer by Richard Burts about 3 years 7 months ago

Thanks for the additional information. Yes I do believe that this is something significant. It indicates that there is not an enable password (or enable secret) configured. That is consistent with the error being generated and that it does not prompt for a password.


If you are on the console it does not matter if there is no enable password/secret and you get into privilege mode. But where you are accessing via SSH (or via Telnet) there must be a password protecting privilege mode. So what is happening is that you do SSH and get to user mode. Then you attempt to do enable to get to privilege mode. But IOS realizes that there is no password configured and that means that you would not be able to get to privilege mode. So it does not prompt for any password and immediately indicates that an authentication error has occured.


Try configuring enable secret and see if it does not solve this problem.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mitchell Tuckness Sun, 01/05/2014 - 12:15
User Badges:

Hi Richard, here would be best, so it is a seperate question and not embedded in another question, so if someone else has it they might find it easier here.


Here is the AAA information on the 2970 Switch:


C2970#sh aaa servers

C2970#



C2970#sh aaa method-lists authentication

authen queue=AAA_ML_AUTHEN_LOGIN

authen queue=AAA_ML_AUTHEN_ENABLE

authen queue=AAA_ML_AUTHEN_PPP

authen queue=AAA_ML_AUTHEN_SGBP

authen queue=AAA_ML_AUTHEN_ARAP

authen queue=AAA_ML_AUTHEN_DOT1X

authen queue=AAA_ML_AUTHEN_8021X

authen queue=AAA_ML_AUTHEN_EAPOUDP

authen queue=AAA_ML_AUTHEN_DOT1X

permanent lists

  name=Permanent Enable None valid=1 id=0 state=ALIVE : ENABLE  NONE

  name=Permanent Enable valid=1 id=0 state=ALIVE : ENABLE

  name=Permanent None valid=1 id=0 state=ALIVE : NONE

  name=Permanent Local valid=1 id=0 state=ALIVE : LOCAL

  name=Permanent rcmd valid=1 id=0 state=ALIVE : RCMD






C2970#sh aaa user all

--------------------------------------------------

Unique id 2 is currently in use.

Accounting:

  log=0x18001

  Events recorded :

    CALL START

    INTERIM START

    INTERIM STOP

  update method(s) :

    NONE

  update interval = 0

  Outstanding Stop Records : 0

  Dynamic attribute list:

    01E878D0 0 00000001 connect-progress(44) 4 No Progress

    01E878E4 0 00000001 pre-session-time(272) 4 64055(FA37)

    01E878F8 0 00000001 elapsed_time(339) 4 0(0)

    01E8790C 0 00000001 pre-bytes-in(268) 4 0(0)

    01E87920 0 00000001 pre-bytes-out(269) 4 0(0)

    01E623E0 0 00000001 pre-paks-in(270) 4 0(0)

    01E623F4 0 00000001 pre-paks-out(271) 4 0(0)

  No data for type EXEC

  No data for type CONN

  NET: Username=(n/a)

    Session Id=00000001 Unique Id=00000002

    Start Sent=0 Stop Only=N

    stop_has_been_sent=N

    Method List=0

    Attribute list:

      02D2408C 0 00000001 session-id(336) 4 1(1)

--------

  No data for type CMD

  No data for type SYSTEM

  No data for type RM CALL

  No data for type RM VPDN

  No data for type AUTH PROXY

  No data for type 8

  No data for type IPSEC-TUNNEL

  No data for type RESOURCE

  No data for type 11

  No data for type 12

  No data for type CALL

  No data for type VPDN-TUNNEL

  No data for type VPDN-TUNNEL-LINK

Debg: No data available

Radi: No data available

Interface:

  TTY Num = 0

  Stop Received = 0

  Byte/Packet Counts till Call Start:

    Start Bytes In = 0             Start Bytes Out = 0

    Start Paks  In = 0             Start Paks  Out = 0

  Byte/Packet Counts till Service Up:

    Pre Bytes In = 0             Pre Bytes Out = 0

    Pre Paks  In = 0             Pre Paks  Out = 0

  Cumulative Byte/Packet Counts :

    Bytes In = 0             Bytes Out = 0

    Paks  In = 0             Paks  Out = 0

  StartTime = 21:09:48 MST Feb 28 1993

  Component = EXEC

Authen: service=LOGIN type=ASCII method=NONE

Kerb: No data available

Meth: No data available

PreA: No data available

General:

  Unique Id = 00000002

  Session Id = 00000001

  Attribute List:

    02D2408C 0 00000009 interface(170) 4 tty0

    02D240A0 0 00000001 port-type(174) 4 Async

    02D240B4 0 00000009 clid(37) 5 async

PerU: No data available


--------------------------------------------------

Unique id 8 is currently in use.

Accounting:

  log=0x18001

  Events recorded :

    CALL START

    INTERIM START

    INTERIM STOP

  update method(s) :

    NONE

  update interval = 0

  Outstanding Stop Records : 0

  Dynamic attribute list:

    02D2408C 0 00000001 connect-progress(44) 4 No Progress

    02D240A0 0 00000001 pre-session-time(272) 4 3845(F05)

    02D240B4 0 00000001 elapsed_time(339) 4 0(0)

    02D240C8 0 00000001 pre-bytes-in(268) 4 0(0)

    02D240DC 0 00000001 pre-bytes-out(269) 4 0(0)

    02A98C50 0 00000001 pre-paks-in(270) 4 0(0)

    02A98C64 0 00000001 pre-paks-out(271) 4 0(0)

  No data for type EXEC

  No data for type CONN

  NET: Username=(n/a)

    Session Id=00000007 Unique Id=00000008

    Start Sent=0 Stop Only=N

    stop_has_been_sent=N

    Method List=0

    Attribute list:

      01E878D0 0 00000001 session-id(336) 4 7(7)

--------

  No data for type CMD

  No data for type SYSTEM

  No data for type RM CALL

  No data for type RM VPDN

  No data for type AUTH PROXY

  No data for type 8

  No data for type IPSEC-TUNNEL

  No data for type RESOURCE

  No data for type 11

  No data for type 12

  No data for type CALL

  No data for type VPDN-TUNNEL

  No data for type VPDN-TUNNEL-LINK

Debg: No data available

Radi: No data available

Interface:

  TTY Num = 1

  Stop Received = 0

  Byte/Packet Counts till Call Start:

    Start Bytes In = 0             Start Bytes Out = 0

    Start Paks  In = 0             Start Paks  Out = 0

  Byte/Packet Counts till Service Up:

    Pre Bytes In = 0             Pre Bytes Out = 0

    Pre Paks  In = 0             Pre Paks  Out = 0

  Cumulative Byte/Packet Counts :

    Bytes In = 0             Bytes Out = 0

    Paks  In = 0             Paks  Out = 0

  StartTime = 13:53:24 MST Mar 1 1993

  Component = EXEC

Authen: service=LOGIN type=ASCII method=LOCAL

Kerb: No data available

Meth: No data available

PreA: No data available

General:

  Unique Id = 00000008

  Session Id = 00000007

  Attribute List:

    01E878D0 0 00000009 interface(170) 4 tty1

    01E878E4 0 00000001 port-type(174) 4 Virtual Terminal

    01E878F8 0 00000009 clid(37) 12 192.168.1.63

PerU: No data available


C2970#sh aaa user all
--------------------------------------------------
Unique id 2 is currently in use.
Accounting:
  log=0x18001
  Events recorded :
    CALL START
    INTERIM START
    INTERIM STOP
  update method(s) :
    NONE
  update interval = 0
  Outstanding Stop Records : 0
  Dynamic attribute list:
    01E878D0 0 00000001 connect-progress(44) 4 No Progress
    01E878E4 0 00000001 pre-session-time(272) 4 64055(FA37)
    01E878F8 0 00000001 elapsed_time(339) 4 0(0)
    01E8790C 0 00000001 pre-bytes-in(268) 4 0(0)
    01E87920 0 00000001 pre-bytes-out(269) 4 0(0)
    01E623E0 0 00000001 pre-paks-in(270) 4 0(0)
    01E623F4 0 00000001 pre-paks-out(271) 4 0(0)
  No data for type EXEC
  No data for type CONN
  NET: Username=(n/a)
    Session Id=00000001 Unique Id=00000002
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      02D2408C 0 00000001 session-id(336) 4 1(1)
--------
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  No data for type 8
  No data for type IPSEC-TUNNEL
  No data for type RESOURCE
  No data for type 11
  No data for type 12
  No data for type CALL
  No data for type VPDN-TUNNEL
  No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: No data available
Interface:
  TTY Num = 0
  Stop Received = 0
  Byte/Packet Counts till Call Start:
    Start Bytes In = 0             Start Bytes Out = 0
    Start Paks  In = 0             Start Paks  Out = 0
  Byte/Packet Counts till Service Up:
    Pre Bytes In = 0             Pre Bytes Out = 0
    Pre Paks  In = 0             Pre Paks  Out = 0
  Cumulative Byte/Packet Counts :
    Bytes In = 0             Bytes Out = 0
    Paks  In = 0             Paks  Out = 0
  StartTime = 21:09:48 MST Feb 28 1993
  Component = EXEC
Authen: service=LOGIN type=ASCII method=NONE
Kerb: No data available
Meth: No data available
PreA: No data available
General:
  Unique Id = 00000002
  Session Id = 00000001
  Attribute List:
    02D2408C 0 00000009 interface(170) 4 tty0
    02D240A0 0 00000001 port-type(174) 4 Async
    02D240B4 0 00000009 clid(37) 5 async
PerU: No data available


--------------------------------------------------
Unique id 8 is currently in use.
Accounting:
  log=0x18001
  Events recorded :
    CALL START
    INTERIM START
    INTERIM STOP
  update method(s) :
    NONE
  update interval = 0
  Outstanding Stop Records : 0
  Dynamic attribute list:
    02D2408C 0 00000001 connect-progress(44) 4 No Progress
    02D240A0 0 00000001 pre-session-time(272) 4 3845(F05)
    02D240B4 0 00000001 elapsed_time(339) 4 0(0)
    02D240C8 0 00000001 pre-bytes-in(268) 4 0(0)
    02D240DC 0 00000001 pre-bytes-out(269) 4 0(0)
    02A98C50 0 00000001 pre-paks-in(270) 4 0(0)
    02A98C64 0 00000001 pre-paks-out(271) 4 0(0)
  No data for type EXEC
  No data for type CONN
  NET: Username=(n/a)
    Session Id=00000007 Unique Id=00000008
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      01E878D0 0 00000001 session-id(336) 4 7(7)
--------
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  No data for type 8
  No data for type IPSEC-TUNNEL
  No data for type RESOURCE
  No data for type 11
  No data for type 12
  No data for type CALL
  No data for type VPDN-TUNNEL
  No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: No data available
Interface:
  TTY Num = 1
  Stop Received = 0
  Byte/Packet Counts till Call Start:
    Start Bytes In = 0             Start Bytes Out = 0
    Start Paks  In = 0             Start Paks  Out = 0
  Byte/Packet Counts till Service Up:
    Pre Bytes In = 0             Pre Bytes Out = 0
    Pre Paks  In = 0             Pre Paks  Out = 0
  Cumulative Byte/Packet Counts :
    Bytes In = 0             Bytes Out = 0
    Paks  In = 0             Paks  Out = 0
  StartTime = 13:53:24 MST Mar 1 1993
  Component = EXEC
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
PreA: No data available
General:
  Unique Id = 00000008
  Session Id = 00000007
  Attribute List:
    01E878D0 0 00000009 interface(170) 4 tty1
    01E878E4 0 00000001 port-type(174) 4 Virtual Terminal
    01E878F8 0 00000009 clid(37) 12 192.168.1.63
PerU: No data available
Richard Burts Sun, 01/05/2014 - 12:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I agree with your logic and the benefit from making this a separate question. Thank you for the information. But in this format it is not very useful. Would you do show run | include aaa and post the output.


HTH


Rick

Mitchell Tuckness Sun, 01/05/2014 - 13:09
User Badges:

Sorry, here it is:


C2970#show run | include aaa

aaa new-model

aaa session-id common


Richard Burts Sun, 01/05/2014 - 13:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thanks. This is much more useful. For the next step I would ask that you do show run | inc enable and post the output.


HTH


Rick

Correct Answer
Richard Burts Sun, 01/05/2014 - 15:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thanks for the additional information. Yes I do believe that this is something significant. It indicates that there is not an enable password (or enable secret) configured. That is consistent with the error being generated and that it does not prompt for a password.


If you are on the console it does not matter if there is no enable password/secret and you get into privilege mode. But where you are accessing via SSH (or via Telnet) there must be a password protecting privilege mode. So what is happening is that you do SSH and get to user mode. Then you attempt to do enable to get to privilege mode. But IOS realizes that there is no password configured and that means that you would not be able to get to privilege mode. So it does not prompt for any password and immediately indicates that an authentication error has occured.


Try configuring enable secret and see if it does not solve this problem.


HTH


Rick

Richard Burts Sun, 01/05/2014 - 17:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I am glad that you have solved this problem and that my suggestions were helpful. Thank you for using the rating system to mark this question as answered.


HTH


Rick

Actions

This Discussion