Unable to Log On Using Telnet or rlogin
If you cannot log on using Telnet or rlogin, perform the following steps.
Note
Rlogin is only supported on the VSP 8600 Series.
Procedure
-
On the TACACS+ server, check whether
you configured the privilege level correctly. On successful authorization, the
TACACS+ server returns an access level to the switch for the current user, which
determines the user access privileges. The switch supports access levels 1 to 6 and
access level 15.
The following table maps user accounts to TACACS+ privilege level.
Switch access level
TACACS+ privilege level
Description
NONE
0
If the TACACS+ server returns an access level of 0, the user is denied access. You cannot log into the device if you have an access level of 0.
READ ONLY
1
Permits you to view only configuration and status information.
LAYER 1 READ WRITE
2
Permits you to view most of the switch configuration and status information and change physical port settings.
LAYER 2 READ WRITE
3
Permits you to view and change configuration and status information for Layer 2 (bridging and switching) functions.
LAYER 3 READ WRITE
4
Permits you to view and change configuration and status information for Layer 2 and Layer 3 (routing) functions.
READ WRITE
5
Permits you to view and change configuration and status information across the switch. This level does not allow you to change security and password settings.
READ WRITE ALL
6
Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.
NONE
7 to 14
If the TACACS+ server returns an access level of 7 to 14, the user is denied access. You cannot log into the device if you have an access level of 7 to 14.
READ WRITE ALL
15
Permits you to have all the rights of read-write access and the ability to change security settings, including command line interface (CLI) and web-based management user names and passwords, and the SNMP community strings.
Note:Access level 15 is internally mapped to access level 6, which ensures consistency with other vendor implementations. The switch does not differentiate between an access level of 6 and an access level of 15.
After you enable TACACS+ authorization, the current privilege-level to command mapping on the switch is no longer relevant because the TACACS+ server has complete responsibility for command authorization. TACACS+ authorization provides access to the system based on username, not based on privilege level.
Note
If you want to switch to a privilege level 'X' using tacacs switch level <1-15> command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level that you want to change.
Example
Check whether the TACACS+ server configured on the platform has the correct IP address:
Switch:1>enable
Switch:1(config)#show tacacs
Global Status:
global enable : false
authentication enabled for : cli
accounting enabled for : none
authorization : disabled
User privilege levels set for command authorization : None
Server:
create :
Prio Status Key Port IP address Timeout Single Source SourceEnabled
Primary NotConn ****** 3 192.0.2.254 30 true 5.5.5.5 true
Backup NotConn ****** 47 198.51.100.1 10 false 0.0.0.0 false