Unable to Log On by any Means

If you cannot log on by any means, perform the following steps.

Procedure

  1. Check whether the TACACS+ server runs properly and try to restart the TACACS+ server.
  2. Check whether you enabled both TACACS+ and RADIUS on the switch.

    show radius

    show tacacs

    If TACACS+ fails, RADIUS can take over the authentication, authorization, and accounting (AAA) process.

  3. Check whether you configured the TACACS+ server to unencrypted mode, as the switch always sends encrypted TACACS+ messages.
  4. Check whether you configured the switch properly. In particular, check the IP address and key.

    show tacacs

  5. Check whether you configured the encryption key, connection mode (single connection or per-session connection), and TCP port number the same on the TACACS+ server and switch.
  6. If the server connects directly, check whether the administrative and operation status of the port is up:

    show interface gigabitethernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

  7. If the server is connected in a network, check whether the switch has a route configured to the server network:

    show ip route

  8. If the server is connected in a network, check whether the switch has a route configured to the server network:

    show ip route and show ipv6 route

  9. For the Out-of-Band (OOB) or VLAN Segmented Management Instance, check whether the switch has a route configured to the server network:

    show mgmt ip route, show mgmt ipv6 route, and show mgmt ip route static

  10. For Segmented Management Instance troubleshooting, check the management network statistics:

    show mgmt ip arp, show khi mgmt statistics, show mgmt ip ip-statistics, and show mgmt ip icmp-statistics

Examples

Check if you enabled both TACACS+ and RADIUS on the switch:

Switch:1>enable
Switch:1(config)#show tacacs

Global Status:

   global enable : false

   authentication enabled for : cli

   accounting enabled for : none

   authorization : disabled

   User privilege levels set for command authorization : None

Server:
                      create :

Prio   Status  Key     Port  IP address  Timeout Single Source SourceEnabled
Primary NotConn ******   3    192.0.2.254      30   true 5.5.5.5  true
Backup  NotConn ******  47    198.51.100.1      10  false 0.0.0.0 false

Switch:1>show radius
             acct-attribute-value : 193
                      acct-enable : false
        acct-include-cli-commands : false
        access-priority-attribute : 192
             auth-info-attr-value : 91
         command-access-attribute : 194
           cli-commands-attribute : 195
                    cli-cmd-count : 40
               cli-profile-enable : false
                           enable : false
                 igap-passwd-attr : standard
           igap-timeout-log-fsize : 512
                        maxserver : 10
            mcast-addr-attr-value : 90
             supported-vendor-ids : 1584, 562, 1916
                      secure-flag : false

Check if the administrative and operation status of the port is up:

Switch:1#show interface gigabitethernet 1/2

================================================================================
                                 Port Interface
================================================================================
PORT                       LINK  PORT           PHYSICAL          STATUS
NUM   INDEX DESCRIPTION    TRAP  LOCK     MTU   ADDRESS           ADMIN  OPERATE
--------------------------------------------------------------------------------
1/2   257   1000BaseTX     true  false    1950  00:24:7f:a1:70:61 up     up


================================================================================
                                   Port Name
================================================================================
PORT                                               OPERATE  OPERATE  OPERATE

NUM   NAME                           DESCRIPTION   STATUS   DUPLEX    SPEED    VL
AN
--------------------------------------------------------------------------------
1/2                                  1000BaseTX    up       full     1000     Ta
gged


================================================================================
                                  Port Config
================================================================================
PORT                DIFF-SERV   QOS   MLT   VENDOR

--More-- (q = quit)

Check if the switch has a route configured to the server network:

Switch:1(config)#show ip route
                                                                             

==========================================================================================
                                     IP Route - GlobalRouter                    
==========================================================================================
                                                     NH                  INTER                  
DST             MASK            NEXT                 VRF/ISID       COST FACE  PROT AGE TYPE PRF
------------------------------------------------------------------------------------------
198.51.100.1        255.255.255.255 192.0.2.65       GlobalRouter     1   100   OSPF 0   IB   125
198.51.100.5         255.255.255.255 192.0.2.5        -               1   0     LOC  0   DB   0  
198.51.100.13        255.255.255.255 			          GlobalRouter     10  1000  ISIS 0   IBS  7  
198.51.100.200       255.255.255.255 			          GlobalRouter     10  1000  ISIS 0   IBS  7  
4 out of 4 Total Num of Route Entries, 4 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rout
e,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed
Check if the Segmented Management Instance has a route configured to the server network:
Switch:1(config)#show mgmt ip route

==========================================================================================
                         Mgmt IPv4 Route Information - Table main
==========================================================================================
DEST/MASK            NEXTHOP              METRIC     INTERFACE       TYPE
------------------------------------------------------------------------------------------
198.51.100.0/16      198.51.100.1         300        Mgmt-oob1       STATIC
198.51.100.0/23      0.0.0.0              1          Mgmt-oob1       LOCAL
192.0.2.0/8          192.0.2.1            300        Mgmt-oob1       STATIC

3 out of 3 Total Num of mgmt ip route displayed
------------------------------------------------------------------------------------------