I am currently upgrading a WS-C2960-PC-L switch to the latest IOS version, c2960-lanbasek9-mz.122-52.SE.bin. Everytime when I do console login from power off then power on the switch, it will only show the login banner, but no login prompt, then for about 10 seconds later, there were 3 "authentication failed" messages, the login prompt will show it after several enters with several authentication failed messages later. I would say at least 5 minutes later. If I reverted back to older IOS, such as c2960-lanbasek9-mz.122-50.SE3.bin, the then login prompt is normal. I am just wondering if anyone out here have the similar issue, and or how to resolve this problem?
Is this a brand new switch or does it have any config ? it might just mean that the switch fails reaching tacacs server, and there is no backup authentication configured ! do you see any errors on the tacacs server when the switch boots up ? did you have the release notes of the IOS to see if there are any bugs or open caveats ?
Thanks for your response. Yes, this is a brand new switch, and I also had a configurations added to the switch. The problem exist only when I upgraded to the latest IOS, which is the version 12.2, 52. When connnect to tacacs server, the switch works fine. Just only when the connection is through console, then the problem occurs. The release note for 12.2 (52) does not have any documentation about this. I am still trying to find the solution on this.
I said when ever you access the switch via console you get the problem but when ever you access the switch via cli you never gets the problem rite !!
If yes then a little configuration issue you need add configuration for console authentication when ever you access the switch.
Check out the below link hope this solves your query
can you post the aaa configs and the line console configs, by logging onto the switch using telnet, through TACACS ? We need to check the backup authentication method configured for console connections...
Did you find any solution for this issue? I got the same issue and accdently saw your post...
Thanks to let me know...
The new version, 12.2(50) and above has default timeout which is about 180 sec, after that time frame, local login will be available. It would be great if anyone knows how to remove the authentication timeout if the tacacs+ was down.
I happen to experience the same symptoms and looking for any updates.
Recently a Catalyst 3550 switch went kaput. I took a spare switch and copied a backup configuration to the spare switch. All tasks done via the console port. I reloaded the switch, saw the login banner, but then no login prompt. The console output showed three "Authentication failed" messages. Console login is configured to try TACACS. If TACACS is not reachable, then use the line password.
Catalyst 3550 running 122-44.SE6
Here's my AAA configuration
aaa authentication password-prompt "LOCAL PASSWORD:"
aaa authentication username-prompt "LOCAL USERNAME:"
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs enable
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
I don't have other workaround for this. But it seems only happen when first to power up the switch with AAA configurations and tacacs/radius server assigned, and if the switch is not able to find the assigned tacacs/radius server, then there will have "authentication failed" until the switch times out, normally is about 3 minutes later.
Yes I am able to confirm that the switch will eventually ask for the backup authentication method about 3 minutes after power on. My backup is line password.
Kinda scary for someone who is unaware of this if there's a network problem. I will need to document this behavior and make sure my other network technicians witness this scenairio.