Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to login to console

Hi I've noticed a strange problem I think it's quite recent but cannot highlight what may have caused it.

I am unable to login to the console port on all devices that ive currently check on my network. I can SSH no problems.

I hit return when asked and it fails to authenticate 3 times with a blank username.

This gets failed by ACS because the blank user has no service selection rule.

I have run debug tacacs on a C4506e 12.2(44r)SG9

Feb 14 14:54:14.469: TPLUS: Queuing AAA Authentication request 179 for processing

Feb 14 14:54:14.469: TPLUS: processing authentication start request id 179

Feb 14 14:54:14.469: TPLUS: Authentication start packet created for 179()

Feb 14 14:54:14.469: TPLUS: Using server x.x.x.x

Feb 14 14:54:14.469: TPLUS(000000B3)/0/NB_WAIT/205AAD70: Started 5 sec timeout

Feb 14 14:54:14.469: TPLUS(000000B3)/0/NB_WAIT: socket event 2

Feb 14 14:54:14.469: TPLUS(000000B3)/0/NB_WAIT: wrote entire 29 bytes request

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: socket event 1

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: Would block while reading

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: socket event 1

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: socket event 1

Feb 14 14:54:14.469: TPLUS(000000B3)/0/READ: read entire 18 bytes response

Feb 14 14:54:14.469: TPLUS(000000B3)/0/205AAD70: Processing the reply packet

Feb 14 14:54:14.469: TPLUS: Received authen response status FAIL (3)

If I remove authentication from the line con 0 then i can connect.

Config

aaa new-model

!

!

aaa authentication login ADMIN group tacacs+ local

!

aaa session-id common

!

line con 0

login authentication ADMIN

stopbits 1

Any help would be appreciated.

3 REPLIES
Silver

Unable to login to console

Hello Dean,

You might be running on either of the two following known issues:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw79561

CSCsw79561            Bug Details

DROPACCTFAIL: System Accounting fails with tacacs

Symptom:

On affected switches, the switch is slow to respond to login requests after reboot, displaying
a repeated message of

% Authentication failed

while not allowing entry of the username for authentication.  This problem fixes itself within
minutes, but during the first few minutes of boot, login via telnet or console is impossible.

"show log" output from the same time period will show:

%AAA-3-DROPACCTFAIL: Accounting record dropped, send to server failed:
system


Conditions:

External accounting enabled for system events such as:

aaa accounting system default start-stop group tacacs+

Workaround:

Wait for a few minutes after a reboot or restart event prior to telnetting into the switch.


Further Problem Description:

Symptoms are the same as those described in CSCsk50769.

Or

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx07352

CSCsx07352            Bug Details

Console stuck with "authentication failed" on save & reload for sys acco

Symptom:
With 'aaa accounting' and 'aaa authen' configured on a switch, we are unable to login to the switch at all.
Also, it's possible the switch will hang on issue of 'reload' from the CLI.

Conditions:
The two conditions must be met:

- AAA accounting must be configured
- AAA authentication must be configured

Workaround:
Disable 'AAA accounting' configuration

If this was helpful please rate.

Regards.

Silver

Unable to login to console

Hello,

If matching the first bug you can also configure the IOS AAA command:

aaa accounting system guarantee-first

The above command explanation:

The aaa accounting system guarantee-first command guarantees system accounting as the
first record, which is the default condition. In some situations, users may be prevented
from starting a session on the console or terminal connection until after the system
reloads, which can take more than three minutes.

To establish a console or telnet session with the router if the AAA server is unreachable
when the router reloads, use the no aaa accounting system guarantee-first command.

Regards.
New Member

Unable to login to console

Thanks for your response but none of the above match the problem.

I do not have any accounting configured.

2470
Views
0
Helpful
3
Replies
CreatePlease login to create content