Unable to Log On Using Telnet or rlogin

If you cannot log on using Telnet or rlogin, perform the following steps.

Note

Note

Rlogin is only supported on the VSP 8600 Series.

Procedure

  1. Check whether the TACACS+ server is available or unreachable.
  2. On the TACACS+ server, check whether you configured the privilege level correctly. On successful authorization, the TACACS+ server returns an access level to the switch for the current user, which determines the user access privileges. The switch supports access levels 1 to 6 and access level 15.

    The following table maps user accounts to TACACS+ privilege level.

    Switch access level

    TACACS+ privilege level

    Description

    NONE

    0

    If the TACACS+ server returns an access level of 0, the user is denied access. You cannot log into the device if you have an access level of 0.

    READ ONLY

    1

    Permits you to view only configuration and status information.

    LAYER 1 READ WRITE

    2

    Permits you to view most of the switch configuration and status information and change physical port settings.

    LAYER 2 READ WRITE

    3

    Permits you to view and change configuration and status information for Layer 2 (bridging and switching) functions.

    LAYER 3 READ WRITE

    4

    Permits you to view and change configuration and status information for Layer 2 and Layer 3 (routing) functions.

    READ WRITE

    5

    Permits you to view and change configuration and status information across the switch. This level does not allow you to change security and password settings.

    READ WRITE ALL

    6

    Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.

    NONE

    7 to 14

    If the TACACS+ server returns an access level of 7 to 14, the user is denied access. You cannot log into the device if you have an access level of 7 to 14.

    READ WRITE ALL

    15

    Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and Web-based management user names and passwords, and the SNMP community strings.

    Note:

    Access level 15 is internally mapped to access level 6, which ensures consistency with other vendor implementations. The switch does not differentiate between an access level of 6 and an access level of 15.

    After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.

    Note

    Note

    If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level that you want to change.

  3. On the TACACS+ server, check whether you configured the password and user name correctly.
  4. On the TACACS+ server, check whether you configured the switch IP address in the trust list.
  5. Check whether you configured the encryption key, connection mode (single connection or per-session connection), and TCP port number the same on the TACACS+ server and switch.
  6. If you can log on to the switch, check whether the TACACS+ server configured on the platform has the correct IP address:

    show tacacs

  7. Use the output from the show tacacs command to verify whether you configured the single connection option on the platform, and whether the TACACS+ server supports the single connection.

Example

Check whether the TACACS+ server configured on the platform has the correct IP address:

Switch:1>enable
Switch:1(config)#show tacacs

Global Status:

   global enable : false

   authentication enabled for : cli

   accounting enabled for : none

   authorization : disabled

   User privilege levels set for command authorization : None

Server:

                      create :

Prio   Status  Key     Port  IP address  Timeout Single Source SourceEnabled
Primary NotConn ******   3    192.0.2.254      30   true 5.5.5.5  true
Backup  NotConn ******  47    198.51.100.1      10  false 0.0.0.0 false

Job Aid

The following table describes the fields in the output for the show tacacs command.

Name

Description

Global Status

global enable

Displays if the TACACS+ feature is enabled globally.

authentication enabled for

Displays which application is authenticated by TACACS+. The possibilities are CLI, web, or all.

accounting enabled for

Displays if accounting is enabled. You can only enable accounting for CLI. By default, accounting is not enabled.

authorization

Displays if authorization is enabled.

User privilege levels set for command authorization

Displays the privilege levels set for command authorization. When you configure command authorization for a particular level, all commands that you execute are sent to the TACACS+ server for authorization. The device can only execute the commands the TACACS+ server authorizes.

The user privilege levels are:

  • 0: denied access

  • 1: read only (ro) access

  • 2: Layer 1 read and write (l1) access

  • 3: Layer 2 read and write (l2) access

  • 4: Layer 3 read and write (l3) access

  • 5: read and write (rw) access

  • 6: read and write all (rwa) access

  • 7-14: denied access

  • 15: read and write all (rwa) access

Server

Prio

Displays the priority of the TACACS+ server. The switch attempts to use the primary server first, and the secondary server second.

Status

Displays the connection status between the server and the switch – connected or not connected.

Key

Displays as ****** instead of the actual key. The key is secret and is not visible.

Port

Displays the TCP port used to establish the connection to the server. The default port is 49.

IP address

Displays the IP address for the primary and secondary TACACS+ servers.

Timeout

Displays the period of time, in seconds, the switch waits for a response from the TACACS+ daemon before it times out and declares an error. The default is 10 seconds.

Single

Displays if a single open connection is maintained between the switch and TACACS+ daemon, or if the switch opens and closes the TCP connection to the TACACS+ daemon each time they communicate. The default is false, which means the device does not maintain the single open connection.

Source

Note:

Exception: only supported on VSP 8600 Series.

Displays the fixed source IP address, if you configure one, for all outgoing TACACS+ packets.

SourceEnabled

Note:

Exception: only supported on VSP 8600 Series.

Displays if the fixed source IP address is enabled for all outgoing TACACS+ packets.