03-13-2012 06:27 PM - edited 03-07-2019 05:32 AM
I have a strange issue that I am having an issue figuring out. I am trying to login to the 1941 router through the console port. When I enter the username and password, which I just set, it fails. I am able to login under a different login but when I try to enter the enable mode the enable password doesn't work, which I just set as well. I can login with the TACACS+ login from a SSH session. What am I missing.. Here is the line config:
line con 0
exec-timeout 15 0
logging synchronous
login authentication no_tacacs
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 08355C5C594B554E53
transport input ssh
transport output ssh
03-13-2012 07:53 PM
William
You have given us some information about your situation. But not enough information to identify the problem or to suggest a solution. Some additional information would help us and might lead to identifying the problem.
What you have posted shows that the console is using some authentication method named no_tacacs. But you do not provide any information about what the method is trying to do or its mechanism for authentication. Can you tell us more about this.
And what you have posted shows that the vty lines are using the default authentication and what you tell us indicates that this does use TACACS.
You tell us that the enable password that you set does not work. But you do not tell us what, if anything, is configured for aaa authentication enable. Can you tell us about this?
HTH
Rick
03-13-2012 08:23 PM
Sure, here is a slimmed down version of the config, let me know if that helps.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router-1941
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable password 7 erty65512312343532q
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
!
!
!
!
!
aaa session-id common
!
clock timezone CST -6 0
clock summer-time cdt recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name ourdomain.local
ip name-server 10.10.11.15
ip name-server 10.10.11.50
!
multilink bundle-name authenticated
!
!
!
crypto stuff bluh bluh bluh
!
!
username user1 privilege 15 secret 5 erhzxcghkjtyrsztreweryhre
username user2 secret 5 wertdjusyae54567uyytrtaretsydd
!
redundancy
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Outside WAN
ip address 68.68.68.68 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Inide LAN
ip address 10.10.35.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0
ip route 10.0.0.0 255.255.0.0 10.10.35.1(Gateway Router)
!
access-list 1 permit 10.10.35.0 0.0.0.255
!
!
!
!
!
snmp-server community strategic RW
snmp-server enable traps tty
tacacs-server host 10.10.11.41
tacacs-server key 7 123435465789123456
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 15 0
logging synchronous
login authentication no_tacacs
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 08355C5C594B554E53
transport input ssh
transport output ssh
03-13-2012 08:50 PM
William
The information that you posted is helpful (at least somewhat).
Clearly line console 0 is attempting to use an authentication method named no-tacacs. But there is not an authentication method with that name. Either you need to configure that authentication method or you need to remove that line from the config of line con 0.
I am not certain what is the issue with enable. And the first step to figuring it out is to figure out whether you are authenticating with TACACS or with the local password.
HTH
Rick
03-13-2012 09:25 PM
I've removed the no_tacacs authentication and still get the same results. As for the enable password not working, not sure what that's all about. I've reset that a couple of time to make sure I was typing it correctly. I think I might have to engage Cisco with that because there is something strange about that, maybe it's an issue with the firmware. Thank you for your help on this, I just haven't seen this before.
03-14-2012 05:25 AM
William
If you have removed the no_tacacs from the console configuration then the console and the vty should be authenticating the same, which is to attempt authentication with TACACS and if that is not available then to do local authentication. As I said in my previous post one of the first things that you need to do is to determine whether your authentication is working with TACACS or is using local authentication.
From your description I gather that you believe that it is doing local authentication. But we do not know that for sure. Perhaps it would help if you would do debug aaa authentication and then post the output generated when you attempt to login and to go to enable mode.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: