Unable to Log On by any Means (Telnet, rlogin, or SSH)
If you cannot log on by any means, perform the following steps.
Note
Rlogin is only supported on VSP 8600 Series.
Procedure
Example
Check if you enabled both TACACS+ and RADIUS on the switch:
Switch:1>enable Switch:1(config)#show tacacs Global Status: global enable : false authentication enabled for : cli accounting enabled for : none authorization : disabled User privilege levels set for command authorization : None Server: create : Prio Status Key Port IP address Timeout Single Source SourceEnabled Primary NotConn ****** 3 192.0.2.254 30 true 5.5.5.5 true Backup NotConn ****** 47 198.51.100.1 10 false 0.0.0.0 false Switch:1>show radius acct-attribute-value : 193 acct-enable : false acct-include-cli-commands : false access-priority-attribute : 192 auth-info-attr-value : 91 command-access-attribute : 194 cli-commands-attribute : 195 cli-cmd-count : 40 cli-profile-enable : false enable : false igap-passwd-attr : standard igap-timeout-log-fsize : 512 maxserver : 10 mcast-addr-attr-value : 90 supported-vendor-ids : 1584, 562, 1916 secure-flag : false
Check if the administrative and operation status of the port is up:
Switch:1#show interface gigabitethernet 1/2 ================================================================================ Port Interface ================================================================================ PORT LINK PORT PHYSICAL STATUS NUM INDEX DESCRIPTION TRAP LOCK MTU ADDRESS ADMIN OPERATE -------------------------------------------------------------------------------- 1/2 257 1000BaseTX true false 1950 00:24:7f:a1:70:61 up up ================================================================================ Port Name ================================================================================ PORT OPERATE OPERATE OPERATE NUM NAME DESCRIPTION STATUS DUPLEX SPEED VL AN -------------------------------------------------------------------------------- 1/2 1000BaseTX up full 1000 Ta gged ================================================================================ Port Config ================================================================================ PORT DIFF-SERV QOS MLT VENDOR --More-- (q = quit)
Check if the switch has a route configured to the server network:
Switch:1(config)#show ip route ========================================================================================== IP Route - GlobalRouter ========================================================================================== NH INTER DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF ------------------------------------------------------------------------------------------ 198.51.100.1 255.255.255.255 192.0.2.65 GlobalRouter 1 100 OSPF 0 IB 125 198.51.100.5 255.255.255.255 192.0.2.5 - 1 0 LOC 0 DB 0 198.51.100.13 255.255.255.255 GlobalRouter 10 1000 ISIS 0 IBS 7 198.51.100.200 255.255.255.255 GlobalRouter 10 1000 ISIS 0 IBS 7 4 out of 4 Total Num of Route Entries, 4 Total Num of Dest Networks displayed. -------------------------------------------------------------------------------- TYPE Legend: I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rout e, U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route PROTOCOL Legend: v=Inter-VRF route redistributed
Switch:1(config)#show mgmt ip route ========================================================================================== Mgmt IPv4 Route Information - Table main ========================================================================================== DEST/MASK NEXTHOP METRIC INTERFACE TYPE ------------------------------------------------------------------------------------------ 198.51.100.0/16 198.51.100.1 300 Mgmt-oob1 STATIC 198.51.100.0/23 0.0.0.0 1 Mgmt-oob1 LOCAL 192.0.2.0/8 192.0.2.1 300 Mgmt-oob1 STATIC 3 out of 3 Total Num of mgmt ip route displayed ------------------------------------------------------------------------------------------
Job Aid
The following table describes the fields in the output for the show radius command.
Parameter |
Description |
---|---|
acct-attribute-value |
Specifies the accounting attribute value. |
acct-enable |
Specifies if the accounting attribute is enabled. |
acct-include-cli-commands |
Specifies if the accounting attribute includes CLI commands. The default is false. |
access-priority-attribute |
Specifies the value of the access priority attribute. The default is 192. |
auth-info-attr-value |
Specifies the value of the authentication information attribute. The default is 91. |
command-access-attribute |
Specifies the value of the command access attribute. The default is 194. |
cli-commands-attribute |
Specifies the value of the CLI commands attribute. The default is 195. |
cli-cmd-count |
Specifies how many CLI commands before the system sends a RADIUS accounting interim request. The default is 40. |
cli-profile-enable |
Specifies if RADIUS CLI profiling is enabled. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access mode for these commands. The default is false. |
enable |
Specifies if RADIUS authentication is globally enabled on the switch. |
igap-passwd-attr |
Specifies the IGMP for user Authentication Protocol (IGAP) password attribute. |
igap-timeout-log-fsize |
Specifies the IGMP for user Authentication Protocol (IGAP) timeout log file size. |
maxserver |
Specifies the maximum number of servers allowed for the device. The default is 10. |
mcast-addr-attr-value |
Specifies the value of the multicast address attribute. The default is 90. |
secure-flag |
Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled. |
sourceip-flag Note:
Exception: only supported on VSP 8600 Series. |
Specifies if the switch can use a configured source IP address. If the outgoing interface on the switch fails, a different source IP address is used, which requires that you make configuration changes to define the new RADIUS client on the RADIUS server. To simplify RADIUS server configuration, you can configure the switch to use a circuitless IP (CLIP) address as the source IP and NAS IP address when transmitting RADIUS packets. By default, the switch uses the IP address of the outgoing interface as the source IP, and the NAS IP address for RADIUS packets that it transmits. |