Unable to Log On Using Telnet

If you cannot log on using Telnet, perform the following steps.

Procedure

  1. Check whether the TACACS+ server is available or unreachable.
  2. On the TACACS+ server, check whether you configured the privilege level correctly. On successful authorization, the TACACS+ server returns an access level to the switch for the current user, which determines the user access privileges. The switch supports access levels 1 to 6 and access level 15.

    The following table maps user accounts to TACACS+ privilege level.

    Switch access level

    TACACS+ privilege level

    Description

    NONE

    0

    If the TACACS+ server returns an access level of 0, the user is denied access. You cannot log into the device if you have an access level of 0.

    READ ONLY

    1

    Permits you to view only configuration and status information.

    LAYER 1 READ WRITE

    2

    Permits you to view most of the switch configuration and status information and change physical port settings.

    LAYER 2 READ WRITE

    3

    Permits you to view and change configuration and status information for Layer 2 (bridging and switching) functions.

    LAYER 3 READ WRITE

    4

    Permits you to view and change configuration and status information for Layer 2 and Layer 3 (routing) functions.

    READ WRITE

    5

    Permits you to view and change configuration and status information across the switch. This level does not allow you to change security and password settings.

    READ WRITE ALL

    6

    Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.

    NONE

    7 to 14

    If the TACACS+ server returns an access level of 7 to 14, the user is denied access. You cannot log into the device if you have an access level of 7 to 14.

    READ WRITE ALL

    15

    Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.

    Note:

    Access level 15 is internally mapped to access level 6, which ensures consistency with other vendor implementations. The switch does not differentiate between an access level of 6 and an access level of 15.

    After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.

    Note

    Note

    If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level that you want to change.

  3. On the TACACS+ server, check whether you configured the password and user name correctly.
  4. On the TACACS+ server, check whether you configured the switch IP address in the trust list.
  5. Check whether you configured the encryption key, connection mode (single connection or per-session connection), and TCP port number the same on the TACACS+ server and switch.
  6. If you can log on to the switch, check whether the TACACS+ server configured on the platform has the correct IP address:

    show tacacs

  7. Use the output from the show tacacs command to verify whether you configured the single connection option on the platform, and whether the TACACS+ server supports the single connection.

Example

Check whether the TACACS+ server configured on the platform has the correct IP address:

Switch:1>enable
Switch:1(config)#show tacacs

Global Status:

   global enable : false

   authentication enabled for : cli

   accounting enabled for : none

   authorization : disabled

   User privilege levels set for command authorization : None

Server:

                      create :

Prio   Status  Key     Port  IP address  Timeout Single Source SourceEnabled
Primary NotConn ******   3    192.0.2.254      30   true 5.5.5.5  true
Backup  NotConn ******  47    198.51.100.1      10  false 0.0.0.0 false