cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
0
Helpful
11
Replies

Wireless Console port logon issues

glenthms
Level 1
Level 1

I have a

AIR-AP1242AG-A-K9

When I connect my console cable to the Access point it puts me direclty into

ap1.ciscow>

versus the username prompt.

I dont have the command 'login local' or 'login' like a switch or router does for vty/con/aux lines so just trying to find out how I can point line con 0 port of the wireless access point to use the local username database configured on the access point itself.

Any Ideas?

IOS 12.3(7)JA1

1 Accepted Solution

Accepted Solutions

Hi Glen,

try aaa authorization console in config mode to add the radius und/or tacacs authorization to the console port globally!

Best regards,

Frank

View solution in original post

11 Replies 11

frankzehrer
Level 4
Level 4

Hi Glen,

i have this running on a 1242AG with 12.3(8)JA2 and this setup is valid since 12.2.

username admin privilege 15 password 7 xxxxxxxxx

line con 0

line vty 0 4

transport preferred telnet

line vty 5 15

And im prompted a login screen.

This is the link to the command reference Guide for the AP. There are only the AP specific commands availiable. Also a list of non AP specific commands.

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_book09186a00804e7952.html

For the rest (non AP-specific) try this one here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_command_reference_list.html

I hope that helps.

Best regards,

Frank

Btw, did you setup TACACS or RADIUS login? Then login might not be availiable.

Frank,

Thanks for responding, TACACS is setup yes, but that is for wireless client logons. I wonder if that's part of my issue. I'll provide you with my full config script for you to review and let me know what you think.

Stephen Rodriguez
Cisco Employee
Cisco Employee

The only way you're going to get the login to the local database, by default, is to add the login local on the con 0 like you would a router or swtich. The other thing you can do is type "login" at the > prompt and login that way.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I asked our guy onsite if he used the login command and he said he did. Also the login, and login local are not options on the line con 0 or vty.

glenthms
Level 1
Level 1

Ive attached the config for this. Let me know if I can do anything to change this

Hi Glen,

sorry for the delay. Damn weekend.

;-)

Your config looks pretty good.

Username is defined, the tty and the local login (aaa authorization exec default local).

Hmmm, very strange.

Maybe you have configured the users wirelessadmin and clientadmin in the tacacs server?

Please let me know.

Best regards,

Frank

No problem at all Frank. Yea the wirelessadmin and clientadmin are configured locally. RADIUS is configured on the local wireless device. We have no external database for authenticating users. I think this is a user onsite that may be using the wrong commands to prompt them for username. I will update once I have him go back onsite and see if he can use the 'login' command to prompt him for username.

glenthms
Level 1
Level 1

Here is the prompt he gets when he logs onto the console port.

Here is what I get after connecting and typ in ?

Powered by...

|| ||

|| ||

|||| ||||

|||||| ||||||

.:||||||||||:. .:||||||||||:.

C i s c o S y s t e m s

---------------------------------------------------

ap1.wireless>login client

^

% Invalid input detected at '^' marker.

ap1.beaverton-dod.lanphere>login

ap1.beaverton-dod.lanphere>en

Password:

% Access denied

ap1.beaverton-dod.lanphere>exit

Press RETURN to get

ap1.wireless>?

Exec commands:

access-enable Create a temporary Access-List entry

clear Reset functions

connect Open a terminal connection

crypto Encryption related commands.

disable Turn off privileged commands

disconnect Disconnect an existing

dot11 IEEE 802.11 commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

led LED functions

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

name-connection Name an existing network connection

ping Send echo messages

radius radius exec commands

release Release a resource

renew Renew a resource

resume Resume an active network connection

save Start to save raise_interrupt_level stack

set Set system parameter (not config)

show Show running system information

ssh Open a secure shell client connection

systat Display information about terminal lines

telnet Open a telnet connection

terminal Set terminal line parameters

traceroute Trace route to destination

tunnel Open a tunnel connection

where List active connections

ap1.wireless>

At this point he has to know the Enable password to get in.

So I added the following lines and now it prompts him for username password.

line con 0

privilege level 15

login authentication default

aaa authentication login default local

My question now is, why do I need to have level 15? IF I remove it he only gets level 7 access and that's it.

Hi Glen,

try aaa authorization console in config mode to add the radius und/or tacacs authorization to the console port globally!

Best regards,

Frank

Very cool Frank. Ill have him try that and get back to you. Been on vacation, Damn vacations. :D Will get back to you.

Nice work my friend. That works great. Confirmed this does work fine. Thanks for all your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: