Unable to Log On by any Means (Telnet, rlogin, or SSH)

If you cannot log on by any means, perform the following steps.

Note

Note

Rlogin is only supported on VSP 8600 Series.

Procedure

  1. Check whether the TACACS+ server runs properly and try to restart the TACACS+ server.
  2. Check whether you enabled both TACACS+ and RADIUS on the switch.

    show radius

    show tacacs

    If TACACS+ fails, RADIUS can take over the authentication, authorization, and accounting (AAA) process.

  3. Check whether you configured the TACACS+ server to unencrypted mode, as the switch always sends encrypted TACACS+ messages.
  4. Check whether you configured the switch properly. In particular, check the IP address and key.

    show tacacs

  5. Check whether you configured the encryption key, connection mode (single connection or per-session connection), and TCP port number the same on the TACACS+ server and switch.
  6. If the server connects directly, check whether the administrative and operation status of the port is up:

    show interface gigabitethernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

  7. If the server is connected in a network, check whether the switch has a route configured to the server network:

    show ip route

  8. If the server is connected in a network, check whether the switch has a route configured to the server network:

    show ip route and show ipv6 route

  9. For the Out-of-Band (OOB) or VLAN Segmented Management Instance, check whether the switch has a route configured to the server network:

    show mgmt ip route, show mgmt ipv6 route, and show mgmt ip route static

  10. For Segmented Management Instance troubleshooting, check the management network statistics:

    show mgmt ip arp, show khi mgmt statistics, show mgmt ip ip-statistics, and show mgmt ip icmp-statistics

Example

Check if you enabled both TACACS+ and RADIUS on the switch:

Switch:1>enable
Switch:1(config)#show tacacs

Global Status:

   global enable : false

   authentication enabled for : cli

   accounting enabled for : none

   authorization : disabled

   User privilege levels set for command authorization : None

Server:
                      create :

Prio   Status  Key     Port  IP address  Timeout Single Source SourceEnabled
Primary NotConn ******   3    192.0.2.254      30   true 5.5.5.5  true
Backup  NotConn ******  47    198.51.100.1      10  false 0.0.0.0 false

Switch:1>show radius
             acct-attribute-value : 193
                      acct-enable : false
        acct-include-cli-commands : false
        access-priority-attribute : 192
             auth-info-attr-value : 91
         command-access-attribute : 194
           cli-commands-attribute : 195
                    cli-cmd-count : 40
               cli-profile-enable : false
                           enable : false
                 igap-passwd-attr : standard
           igap-timeout-log-fsize : 512
                        maxserver : 10
            mcast-addr-attr-value : 90
             supported-vendor-ids : 1584, 562, 1916
                      secure-flag : false

Check if the administrative and operation status of the port is up:

Switch:1#show interface gigabitethernet 1/2

================================================================================
                                 Port Interface
================================================================================
PORT                       LINK  PORT           PHYSICAL          STATUS
NUM   INDEX DESCRIPTION    TRAP  LOCK     MTU   ADDRESS           ADMIN  OPERATE
--------------------------------------------------------------------------------
1/2   257   1000BaseTX     true  false    1950  00:24:7f:a1:70:61 up     up


================================================================================
                                   Port Name
================================================================================
PORT                                               OPERATE  OPERATE  OPERATE

NUM   NAME                           DESCRIPTION   STATUS   DUPLEX    SPEED    VL
AN
--------------------------------------------------------------------------------
1/2                                  1000BaseTX    up       full     1000     Ta
gged


================================================================================
                                  Port Config
================================================================================
PORT                DIFF-SERV   QOS   MLT   VENDOR

--More-- (q = quit)

Check if the switch has a route configured to the server network:

Switch:1(config)#show ip route
                                                                             

==========================================================================================
                                     IP Route - GlobalRouter                    
==========================================================================================
                                                     NH                  INTER                  
DST             MASK            NEXT                 VRF/ISID       COST FACE  PROT AGE TYPE PRF
------------------------------------------------------------------------------------------
198.51.100.1        255.255.255.255 192.0.2.65       GlobalRouter     1   100   OSPF 0   IB   125
198.51.100.5         255.255.255.255 192.0.2.5        -               1   0     LOC  0   DB   0  
198.51.100.13        255.255.255.255 			          GlobalRouter     10  1000  ISIS 0   IBS  7  
198.51.100.200       255.255.255.255 			          GlobalRouter     10  1000  ISIS 0   IBS  7  
4 out of 4 Total Num of Route Entries, 4 Total Num of Dest Networks displayed.
--------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Rout
e,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed
Check if the Segmented Management Instance has a route configured to the server network:
Switch:1(config)#show mgmt ip route

==========================================================================================
                         Mgmt IPv4 Route Information - Table main
==========================================================================================
DEST/MASK            NEXTHOP              METRIC     INTERFACE       TYPE
------------------------------------------------------------------------------------------
198.51.100.0/16      198.51.100.1         300        Mgmt-oob1       STATIC
198.51.100.0/23      0.0.0.0              1          Mgmt-oob1       LOCAL
192.0.2.0/8          192.0.2.1            300        Mgmt-oob1       STATIC

3 out of 3 Total Num of mgmt ip route displayed
------------------------------------------------------------------------------------------

Job Aid

The following table describes the fields in the output for the show radius command.

Parameter

Description

acct-attribute-value

Specifies the accounting attribute value.

acct-enable

Specifies if the accounting attribute is enabled.

acct-include-cli-commands

Specifies if the accounting attribute includes CLI commands. The default is false.

access-priority-attribute

Specifies the value of the access priority attribute. The default is 192.

auth-info-attr-value

Specifies the value of the authentication information attribute. The default is 91.

command-access-attribute

Specifies the value of the command access attribute. The default is 194.

cli-commands-attribute

Specifies the value of the CLI commands attribute. The default is 195.

cli-cmd-count

Specifies how many CLI commands before the system sends a RADIUS accounting interim request. The default is 40.

cli-profile-enable

Specifies if RADIUS CLI profiling is enabled. CLI profiling grants or denies access to users being authenticated by way of the RADIUS server. You can add a set of CLI commands to the configuration on the RADIUS server, and you can specify the command-access mode for these commands. The default is false.

enable

Specifies if RADIUS authentication is globally enabled on the switch.

igap-passwd-attr

Specifies the IGMP for user Authentication Protocol (IGAP) password attribute.

igap-timeout-log-fsize

Specifies the IGMP for user Authentication Protocol (IGAP) timeout log file size.

maxserver

Specifies the maximum number of servers allowed for the device. The default is 10.

mcast-addr-attr-value

Specifies the value of the multicast address attribute. The default is 90.

secure-flag

Specifies whether RADIUS Security (RADSec) is globally enabled. The default is disabled.

sourceip-flag

Note:

Exception: only supported on VSP 8600 Series.

Specifies if the switch can use a configured source IP address. If the outgoing interface on the switch fails, a different source IP address is used, which requires that you make configuration changes to define the new RADIUS client on the RADIUS server. To simplify RADIUS server configuration, you can configure the switch to use a circuitless IP (CLIP) address as the source IP and NAS IP address when transmitting RADIUS packets.

By default, the switch uses the IP address of the outgoing interface as the source IP, and the NAS IP address for RADIUS packets that it transmits.
9036830-00 Rev AD