Unable to Log On Using Telnet
If you cannot log on using Telnet, perform the following steps.
Procedure
- Check whether the TACACS+ server is available or unreachable.
-
On the TACACS+ server, check whether
you configured the privilege level correctly. On successful authorization, the
TACACS+ server returns an access level to the switch for the current user, which
determines the user access privileges. The switch supports access levels 1 to 6 and
access level 15.
The following table maps user accounts to TACACS+ privilege level.
Switch access level
TACACS+ privilege level
Description
NONE
0
If the TACACS+ server returns an access level of 0, the user is denied access. You cannot log into the device if you have an access level of 0.
READ ONLY
1
Permits you to view only configuration and status information.
LAYER 1 READ WRITE
2
Permits you to view most of the switch configuration and status information and change physical port settings.
LAYER 2 READ WRITE
3
Permits you to view and change configuration and status information for Layer 2 (bridging and switching) functions.
LAYER 3 READ WRITE
4
Permits you to view and change configuration and status information for Layer 2 and Layer 3 (routing) functions.
READ WRITE
5
Permits you to view and change configuration and status information across the switch. This level does not allow you to change security and password settings.
READ WRITE ALL
6
Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.
NONE
7 to 14
If the TACACS+ server returns an access level of 7 to 14, the user is denied access. You cannot log into the device if you have an access level of 7 to 14.
READ WRITE ALL
15
Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.
Note:Access level 15 is internally mapped to access level 6, which ensures consistency with other vendor implementations. The switch does not differentiate between an access level of 6 and an access level of 15.
After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.
Note
If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level that you want to change.
- On the TACACS+ server, check whether you configured the password and user name correctly.
- On the TACACS+ server, check whether you configured the switch IP address in the trust list.
- Check whether you configured the encryption key, connection mode (single connection or per-session connection), and TCP port number the same on the TACACS+ server and switch.
-
If you can log on to the switch,
check whether the TACACS+ server configured on the platform has the correct IP
address:
show tacacs
- Use the output from the show tacacs command to verify whether you configured the single connection option on the platform, and whether the TACACS+ server supports the single connection.
Example
Check whether the TACACS+ server configured on the platform has the correct IP address:
Switch:1>enable Switch:1(config)#show tacacs Global Status: global enable : false authentication enabled for : cli accounting enabled for : none authorization : disabled User privilege levels set for command authorization : None Server: create : Prio Status Key Port IP address Timeout Single Source SourceEnabled Primary NotConn ****** 3 192.0.2.254 30 true 5.5.5.5 true Backup NotConn ****** 47 198.51.100.1 10 false 0.0.0.0 false