Introduction:
This document dicuss an issue faced by an user
Different modes available in router:
In Cisco every command mode enables user with a set of related commands.
Cisco CLI has two modes:-
In oder to provide security two EXEC modes are used as two levels of access.
EXEC user commands allow you to
- Connectivity to remote devices
- Empower the user as he/she can run basic tests
- Empower user by enabling feature to see system information.
- Temporary changes can be done using terminal.
For access privileged mode user have to go through credential check. User mode commands are also present with commands from Privileged mode.
- Operating parameters can be given.
- User can run examination in detail for router's status
- Testing and debuging can be performed for router operation
- Accessibility allownace to global and other configuration modes
Global configuration mode falls after Privileged mode. Source for providing configuration commands can be specified from here:-
- Terminal
- Memory
- The network
Global Configuration mode enables the user to perform complex configuration.
Setup Mode: When the router is new and does not contain any configuration file it will directly go to Setup mode. User is welcomed with a prompted dialog which is known as system configuration dialog, in which user provides initial configuration manually.
Rom Monitor Mode: When router is not able to find a valid operating system image, or if interrupt is issued during boot sequence, user enters in ROM monitor mode.ROM monitor mode enable user to reboot the device or perform diagnostic tests.
Core issue
This issue is due to the presence of Cisco bug ID CSCsh76038.
This issue typically occurs when the aaa authentication enable default group tacacs+ command or the aaa authentication enable default group command that points towards a TACACS+ server group is configured.
When an attempt is made to log into enable mode, this error appears:
Router>enPassword: % Error in authentication.
The debugs show that the router uses "$enab15$" as the username for enable authentication even though this username does not exist in the server or router.
Mar 2 09:20:26.684 EST: AAA/AUTHEN/START (2173693602): Method=tacacs+ (tacacs+)
Mar 2 09:20:26.684 EST: TAC+: Authenticating using $enab15$
Mar 2 09:20:26.684 EST: TAC+: send AUTHEN/START packet ver=192 id=-2121273694
Mar 2 09:20:26.684 EST: TAC+: Using default tacacs server-group "tacacs+" list.
The TACACS+ server logs this message:
$enab15$ "External DB user invalid or bad password"
The affected Cisco IOS software releases are listed in this affected versions list.
Resolution
The workaround for this issue is to configure a user named "$enab{x}$" on the TACACS+ server, where {x} is the desired privilege level, such as with "$enab15$" for regular enable mode. This password is the enable password.
In order to completely resolve this issue, upgrade the routers to any of these Cisco IOS software releases:
- Cisco IOS Software Release 12.4(13.8)
- Cisco IOS Software Release 12.4(13a)
- Cisco IOS Software Release 12.4(13.8)T
Refer to Cisco Downloads in order to download the suggested Cisco IOS software releases.
Problem Type
Troubleshoot software feature
Product Family
Cisco Secure access control server
Routers
Error
%Error in authentication.
Cisco IOS Software Version
12.4
Cisco Secure Access Control Server (ACS)
Cisco Secure ACS for Windows
Cisco Secure ACS for Unix
Features & Tasks
TACACS+
VPN, PIX and Router Debugs
EST: TAC+: Authenticating using $enab15$