Cisco Switching/Routing :: 6500 - TACACS Doesn't Work Via Telnet / Works Via Console
Apr 18, 2013
I have a pair of OLD Cat6500's running CatOS:
WS-C6509 Software, Version NmpSW: 7.6(16)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Dec 22 2005, 16:37:19
System Bootstrap Version: 7.1(1)
System Boot Image File is 'bootflash:cat6000-sup2k8.7-6-16.bin'
System Configuration register is 0x2
I know these are no longer supported, but I have to ready them for migration. Recently a problem began with these switches. What happens is that when I telnet to them, I cannot authenitcate via TACACS. This works fine for all our other IOS equipment, just not for these 2 switches. The error is:" % Error in authentication" and then I get kicked back to the login prompt.
The odd thing is that when I connect to the switch via the console port, I can authenticate fine with TACACS.
CMS> /c 14
I've got a 3560-X that passes POST according to console, but there are issues nonetheless...USB console doesn't work. RJ45 works just fine. No status lights turn on at any point (e.g. syst, xps...). 10g network module is installed with a 10g LRM SFP. All lights on the module are amber. However, it passes according to POST. Switch passes traffic, obeys config, etc. Link lights on RJ45 ports work fine. This was brand new out of the box. Thinking about trying IOS reload..
I'm trying to connect a Cisco 2811 using an octal cable to a Juniper MX480 console port.Since the distance between Cisco 2811 and router is 20ft, im using couplers and a straight-through cable for the lack of slack. This wiring doesnt work, however in another city it works going straight from the Cisco 2811 octal cable to the router since they are in the same rack.
All ip's and any identifying numbers have been change to protect.
I have a 6500 series switch that for some reason will not authenticate to the tacacs server. When you try, you get a password authentication failure. However, it will let you use the configured username and secret to log in thru ssh. And the enable secret to get into privileged mode. Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work. I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine. ip routing is turned on. There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table. There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan.
I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working. I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN. I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.
I have been using my laptop since a year now and yesterday suddenly my internet stopped working. On top of the connectivity bar a yellow sign appeared. Now my internet status is "No internet access" but when i connect my ethernet cable the internet starts working and i can see the "Internet access" status. I have re-installed my wi-fi driver too from the orignal CD that i got with my laptop, but still no luck also i did not install anything in past 1 week and the only anti-virus i have is Avast (tried disabling it too). I plugged out the cables from my router and plugged them again but that dint work too. There are 2 other laptops (running on windows 7 just like mine) on which the wifi connection is working but on mine it is not working.
I try connecting via ethernet cable and it doesn't seem to work until the administrator of the network (my brother) comes home and then turns his computer on and starts using it. However, if i switch to a wireless adapter it sometimes works (like right now) even when my brother is not using the internet. Also, i tried to connect via wifi on my macbook pro to the same server and it used to work flawlessly 100% of the time, now i can only connect once in a while for short periods of times.
Region : India Model : TL-MR3420 Hardware Version : V1 Firmware Version : 3.12.21 Build 120523 Rel.37880n ISP : Reliance
I've just set up a MR3420. It works fine in "WAN only" mode and provides access via our ADSL modem. It also works fine in "3G only" mode and provides access via a Reliance Netconnect+ USB modem (a Huawei E150 I think). I updated the firmware to the latest version in order to get it to work with the USB modem.
The problem I have is that when I set it to "3G preferred" it doesn't seem to connect over 3G. I can see it tries to connect but then fails and then WAN takes over. The connect and disconnect options are greyed out on the 3G page so I am unable to manually get it to retry. I've tried leaving it for a long time but it doesn't seem to connect over 3G ever. I've tried setting 3G to connect on demand and connect automatically but both behave the same.
I have a E4200 v1, connected with a few PCs by ethernet ports and various devices by wifi. Now the wireless devices work perfectly but sometimes the PC via ethernet ports cannot connect to LAN and internet.
If the load balancing is set to src-dst-ip, will a layer 2 switch forward based on that information? Particularly talking about a 6500, with trunk interfaces, since those packets never go to the layer 3 engine, will the load-balancing work as intended?
I have PC_A and PC_B connected to the same switch, and are put in the same vlan. PC_A is the master (source) and PC_B is the destination (client). IGMP Snooping is enabled by default.
Is there any reason why this should fail? There is no RP or any interface with PIM enabled. Its a flat network with a source and client in the same vlan...
IH-3750-LOADTEST-101#show ip igmp snooping vlan 724 Global IGMP Snooping configuration: ------------------------------------------- IGMP snooping : Enabled
I'm doing some tesing in SFE2000P linksys switch about the TACACS authentication. I have configured the switch accodringly to point my ACS server with key string. Now, I'm able to login into the switch with TACACS account in HTTP/HTTPS only and but, not with the TELNET access.
Still Switch is authenticating with the local user account only, when in TELNET access method.
We have a Cisco Catalyst 4506 running: "Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9K91S-M), Version 12.2(25)EWA14, RELEASE SOFTWARE (fc1)" I have configured the default gateway as: ip default-gateway X.Y.116.65, However, when I do, "show ip route", it only shows the 3 connected networks and states "Gateway of last resort is not set". The Command "ip classless" is not set. I read on some blogs that this might explain the issue. However, when I go into config mode (config t), I get the following output.
we've been using IOS for a long time, but are relatively new to NX-OS. We've got a central syslog server that all our devices log to. No matter what we do, we can't get our Nexus switches to log there. Here's my current attempt:
Nexus 7009, NX-OS 6.0(1)
# sh logging server Logging server: enabled {redacted} server severity: debugging server facility: local7 server VRF: default
[code].....
The default VRF is working. I see log entries in the logfile, but nothing arrives at the syslog server. It's not a config issue on the server, because tcpdump shows that no packets arrive from the IP for loopback 0.
I have an early model PIX-515 that hasn't been used in a long time but I want to get it working again in a lab environment. I am at loss right now on how to get into it though.
CONSOLE:
I've tried connecting from the PC's serial port to the units console port using Cisco's blue cable with no avail. All I get is a cursor but no response. I've tried using 9600,8,none,1,none as settings and I can sucessfully console a Cisco 1700 router with those same settings in Putty no problem, but it doesn't work with this Pix. I've also tried using other possible common speeds like 1200,1400,4800,19200, 38400, 57600 and 115200 in case the firewall was set to use those and that didn't work either.
I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?
implementation of the cisco CSS 11501 boxes available as spare on our site into production for an application evry thing worked as expected. i was able to telnet the active/master box and was able to console both master and backup box from the console port.however a week post the activity im faced with this weird problem where im not able to take console or the telnet access of my primary/active box.The boxes are working in BOX-to-BOX redundancy and now im not able to telnet or console my active/master box. The telnet and console window prompts me for username and password and after entering the credentials nothing happens. no prompt or no error message is displayed.
The telnet primary authentication is via tacacs and secondary is via local. however for console im not using any method for primay authentication and local for secondary authentication. however i can successfully console my backup box. below are my obsrvations 1. the left and right status LED on the active CSS box is OFF.- it means my CSS 11501 failed and has no power. 2. upon firing the rcmd command with show line command on backup box i see that the telnet sessions and console session is established with the master box3. the redundancy state of the active box says it is master and has not changed state since my last activity, no application issue reported, all the services are active on the active box and also i can ping the active box ip address from my backup box over which box to box redundancy is established. This confirms the active box is functioning well 4. i initially thought the telnet sessions are not getting cleared, however the show line cmd with the rcmd cmd on the backup box confirms this is not happening. now im stuck as the active box cannot be accessed at all via console or telnet. i was thinking of below steps to be carried out.1. to failover the boxes and make the backup as master2. then try to take the faulty box off the network and troubleshoot (are there any other commands that i should use to troubleshoot)3. if nothing works try rebooting the box and check
NOTE: the software running is version 7.20.30.3 with standard feature set. we are not using cvdm or the CSS GUI. we could access the css initially on CSS gui and that is also not working now.
I recently configured a Cisco AP 1242, software version 12.4, via the web interface using the default Cisco credentials. At that time I setup an administrator account with read/write access and changed the Cisco to a read only access. Now went I attempt to login to the web interface it won't accept the administrator password. It will except the administrator password in a telnet session however. So via the telnet session I setup another user with privileged exec level access and that wont work on the web interface either. The Login box keeps coming back requesting a password. Strangely enough, I can login to the web Interface using admin username, with the Cisco password; but I can't do anything, and I also can't view everything. I've tried the following:
I've turned on SSH and created a certificate in the AP, but the login box continues to pop on the https://url.I've attempted to setup a user with a non-encrypted password, but have been unsuccessful.I've tried a different browser - login box continues to pop.I've made sure the web interface is activated in the API've tried a differnet computerI've tried disabling password-encryption service. Reset the enable password , I've successfully setup other 1240 APs but must have done something wrong on this one.
I dont think my cards are faulty (4 cards in 2 6500 switches),I connect directly to my WISM cards, boot them (insert them), I see it turning on, enabling services, and as soon as the "username:" prompt apears, the Status led turns off and I lose console. [code]
There is a requirement to configure tacacs and radius on catalyst 3750X (version 15.0) where two vrf exist.Is therer a solution to configure "tacacs-server,host x.x.x.x vrf yyy" ?? I know it is possible to configure under the "aaa group server radius xxx" the command "ip vrf forwarding yyy".Is there anything else for the tacacs-server and radius-server command?
I have a little problem. My customer is using TACP-PLUS ALPHA (F4.0.3.alpha.v9). Well, the same user than have access to another Cisco equipment, with user test1 by sample, can configure anything in the equipment. But in the nexus 5000, el command "show user-account" indicate just the "network-operator" role. Well, I patch this situation with the next commands:
aaa authorization config-commands default group TACSERVER local aaa authorization commands default group TACSERVER local
Well, when I do a telnet into the nexus, I can shut the interfaces, config and anything. But, when I ingress by console, I can not to configure the interfaces.I understand that the Nexus 5000 the Tacacs configuration is global for VTY and Console (different in the Cisco equipment Routers by sample).
I have several 2950 switches that I cannot get to work with TACACS. I'm using the same config for these that I am using for other cisco switches. [code]
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
We have CISCO ASR 1002 router on our DC, I want to enable TACACS on this router.what is the usage of key, we need a separate key for every device? or. [code]
I have a 871W router that works fine.I have 5 static ip addres's and use 2 in a nat pool. One i have mapped staticlly here is the configuration and it works fine:
! No configuration change since last restart version 15.1 no service pad service tcp-keepalives-in
Switch: WS-C3750X-48P (Stack with 2 Members) IOS: 12.2(58)SE2 Lic: IPBASEK9 uptime: rebooted this night
[code]....
Since i added another Member to the Stack, i'm facing the following problem:When i login with my tacacs user account, i will not be asked for the password.The same thing is for the tacacs account of my colleague, after entering the username he is logged in.It seems for me, that the passwords are cached only for this Switch.
