Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

enable secret overwrite vty telnet password? (Cat 4500)

I face some funny situation on changing the local password of the switch.

Let me show you 2 switches result - one nornal, one abnormal.

For a normal situation, a switch - pg71scr-as01, if I configure

service password-encryption

enable password a1t3router

!

enable secret william

line vty 0 4

password cisco

!

line con 0

password cisco

!

In such case, my telnet login password is still cisco, but my priviledge password will be william, because of secret password will override enable password.

Now, I have an abnormal switch - pg71scc1-as03, if I configure

service password-encryption

enable password a1t3router

!

enable secret william

line vty 0 4

password cisco

!

line con 0

password cisco

!

My telnet login password will be william, and my priviledge password will be william too. Why???

Now, let us compare the version and modules of this 2 switches:

Normal Switch - pg71scr-as01

pg71scr-as01#sh mod

Chassis Type : WS-C4506

Power consumed by backplane : 10 Watts

Mod Ports Card Type Model Serial No.

---+-----+--------------------------------------+------------------+-----------

1 2 1000BaseX (GBIC) Supervisor(active) WS-X4013+ JAE********

2 6 1000BaseX (GBIC) WS-X4306-GB JAE********

3 48 10/100BaseTX (RJ45) WS-X4148-RJ JAF********

4 48 10/100BaseTX (RJ45) WS-X4148-RJ JAF********

5 48 10/100BaseTX (RJ45) WS-X4148-RJ JAF********

6 48 10/100BaseTX (RJ45) WS-X4148-RJ JAF********

pg71scr-as01#sh ver

Cisco Internetwork Operating System Software

IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I9K2S-M), Version 12.1(20)EW2

, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

ROM: 12.1(20r)EW1

Dagobah Revision 86, Swamp Revision 3

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting system default start-stop group tacacs+

Abnormal switch - pg71scc1-as03

pg71scc1-as03#sh mod

Chassis Type : WS-C4506

Power consumed by backplane : 10 Watts

Mod Ports Card Type Model Serial No.

---+-----+--------------------------------------+------------------+-----------

1 2 1000BaseX (GBIC) Supervisor(active) WS-X4013+ JAE********

2 6 1000BaseX (GBIC) WS-X4306-GB JAE********

3 48 10/100BaseTX (RJ45) WS-X4148-RJ JAE********

4 48 10/100BaseTX (RJ45) WS-X4148-RJ JAE********

5 48 10/100BaseTX (RJ45) WS-X4148-RJ JAF********

6 48 10/100BaseTX (RJ45) WS-X4148-RJ JAF********

pg71scc1-as03#sh ver

Cisco Internetwork Operating System Software

IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I9K2S-M), Version 12.1(20)EW2

, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

ROM: 12.1(20r)EW1

Dagobah Revision 86, Swamp Revision 3

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting system default start-stop group tacacs+

I don't see any different on the hardware. Same part number, same firmware, same IOS image. They are also having same aaa configuration and boot parameter. Can you help to check it out?

Thanks.

3 REPLIES
New Member

Re: enable secret overwrite vty telnet password? (Cat 4500)

Enable secret has precedence over enable password.

Enable secret *** will overide the existing enable password.

Purple

Re: enable secret overwrite vty telnet password? (Cat 4500)

Don't know , don't see how your vty password can be william and not cisco . How are you testing this are you pulling the tacacs server statement ?

Hall of Fame Super Silver

Re: enable secret overwrite vty telnet password? (Cat 4500)

There is actually a simple explanation of why this is happening. It is that the switches are configured differently in one significant detail. Here is the config given in an earlier post:

normal switch:

aaa authentication login default group tacacs+ line

Abnormal switch - pg71scc1-as03

aaa new-model

aaa authentication login default group tacacs+ enable

both switches will attempt to authenticate a login request with TACACS. If there is no response from TACACS the first switch uses the line password to authenticate but the second switch will use enable to authenticate the login request. If you want the second switch to use the line password then change the aaa authentication command.

HTH

Rick

1982
Views
5
Helpful
3
Replies