Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Not able to login through console port on 1941 router

I have a strange issue that I am having an issue figuring out. I am trying to login to the 1941 router through the console port. When I enter the username and password, which I just set, it fails. I am able to login under a different login but when I try to enter the enable mode the enable password doesn't work, which I just set as well. I can login with the TACACS+ login from a SSH session. What am I missing.. Here is the line config:

line con 0

exec-timeout 15 0

logging synchronous

login authentication no_tacacs

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 08355C5C594B554E53

transport input ssh

transport output ssh

  • LAN Switching and Routing
5 REPLIES
Hall of Fame Super Silver

Not able to login through console port on 1941 router

William

You have given us some information about your situation. But not enough information to identify the problem or to suggest a solution. Some additional information would help us and might lead to identifying the problem.

What you have posted shows that the console is using some authentication method named no_tacacs. But you do not provide any information about what the method is trying to do or its mechanism for authentication. Can you tell us more about this.

And what you have posted shows that the vty lines are using the default authentication and what you tell us indicates that this does use TACACS.

You tell us that the enable password that you set does not work. But you do not tell us what, if anything, is configured for aaa authentication enable. Can you tell us about this?

HTH

Rick

New Member

Not able to login through console port on 1941 router

Sure, here is a slimmed down version of the config, let me know if that helps.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router-1941

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

enable password 7 erty65512312343532q

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

!

!

!

!

!

aaa session-id common

!

clock timezone CST -6 0

clock summer-time cdt recurring

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

ip domain name ourdomain.local

ip name-server 10.10.11.15

ip name-server 10.10.11.50

!

multilink bundle-name authenticated

!

!

!

crypto stuff bluh bluh bluh

!

!

username user1 privilege 15 secret 5 erhzxcghkjtyrsztreweryhre

username user2 secret 5 wertdjusyae54567uyytrtaretsydd

!

redundancy

!

!

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

!

!

!

!

!

!

interface Loopback0

no ip address

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Outside WAN

ip address 68.68.68.68 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Inide LAN

ip address 10.10.35.10 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication aaa

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0

ip route 10.0.0.0 255.255.0.0 10.10.35.1(Gateway Router)

!

access-list 1 permit 10.10.35.0 0.0.0.255

!

!

!

!

!

snmp-server community strategic RW

snmp-server enable traps tty

tacacs-server host 10.10.11.41

tacacs-server key 7 123435465789123456

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 15 0

logging synchronous

login authentication no_tacacs

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 08355C5C594B554E53

transport input ssh

transport output ssh

Hall of Fame Super Silver

Not able to login through console port on 1941 router

William

The information that you posted is helpful (at least somewhat).

Clearly line console 0 is attempting to use an authentication method named no-tacacs. But there is not an authentication method with that name. Either you need to configure that authentication method or you need to remove that line from the config of line con 0.

I am not certain what is the issue with enable. And the first step to figuring it out is to figure out whether you are authenticating with TACACS or with the local password.

HTH

Rick

New Member

Not able to login through console port on 1941 router

I've removed the no_tacacs authentication and still get the same results. As for the enable password not working, not sure what that's all about. I've reset that a couple of time to make sure I was typing it correctly. I think I might have to engage Cisco with that because there is something strange about that, maybe it's an issue with the firmware. Thank you for your help on this, I just haven't seen this before.

Hall of Fame Super Silver

Not able to login through console port on 1941 router

William

If you have removed the no_tacacs from the console configuration then the console and the vty should be authenticating the same, which is to attempt authentication with TACACS and if that is not available then to do local authentication. As I said in my previous post one of the first things that you need to do is to determine whether your authentication is working with TACACS or is using local authentication.

From your description I gather that you believe that it is doing local authentication. But we do not know that for sure. Perhaps it would help if you would do debug aaa authentication and then post the output generated when you attempt to login and to go to enable mode.

HTH

Rick

798
Views
0
Helpful
5
Replies
This widget could not be displayed.