|
This chapter describes troubleshooting information relating to security implementations and contains the following sections:
If you want detailed information about configuring and using TACACS+, refer to the
ATM Switch Router Software Configuration Guide and ATM Switch Router Command Reference publications. For additional information about TACACS+, refer to the
Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference .
The following sections describe problems with TACACS+ operation and possible solutions.
Symptom: Errors are generated when unarchiving the TACACS+ archive file (tac_plus.2.1.tar).
Table B-1 outlines possible problems and describes solutions.
1FTP = File Transfer Protocol |
Symptom: Attempts to compile the TACACS+ daemon result in errors.
Table B-2 outlines possible problems and describes solutions.
Symptom: The TACACS+ daemon is not running.
Table B-3 outlines possible problems and describes solutions.
Symptom: The TACACS+ daemon does not run when invoked.
Table B-4 outlines possible problems and describes solutions.
Symptom: Users cannot log in using TACACS+. Either users cannot get the Username prompt or they get the prompt but authentication or authorization fails.
Table B-5 outlines possible problems and describes solutions.
Possible Problem | Solution |
---|---|
1. Use the show running-config privileged EXEC command to view the local switch router configuration. Look for the following commands:
where name is the IP address or DNS1 host name of the TACACS+ server and key is the authentication and encryption key. 2. If all of these commands are not present, add the missing commands to the configuration. If there is no key configured on the TACACS+ daemon, the tacacs-server key command is not necessary. |
|
1. Use the show running-config privileged EXEC command to view the local switch router configuration. Look for an aaa authorization exec tacacs+ global configuration command entry.
2. If the command is present, remove it from the configuration by using the no version of the command. |
|
If PPP is not functioning properly, problems will occur when using TACACS+. Use the debug ppp negotiation privileged EXEC command to see if both sides are communicating.
For information on configuring PPP, refer to the |
|
1. Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command:
2. If the command is not present, add it to the configuration. 3. In addition, check the configuration of the async interface being used. The interface must have the following commands configured: 4. If these commands are not present, add them to the interface configuration. |
|
1. Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command:
2. If the command is not present, add it to the configuration. 3. In addition, check the configuration of the async interface being used. The interface must have the following commands configured: 4. If these commands are not present, add them to the interface configuration. 5. Make sure your daemon configuration file, located in the tac_plus.2.1 directory, includes one of the following lines, as appropriate: |
|
1. Check to make sure that the appropriate username and password pairs are contained in the /etc/passwd file.
2. If the appropriate users are not specified, generate a new user with the correct username and password, using the add user command. |
|
1. From the switch router, try to connect to port 49 by using Telnet on the TACACS+ daemon.
2. If the attempt to connect via Telnet is unsuccessful, make sure the daemon is running. For more information, see the "Daemon Is Not Up and Running" section. 3. If the daemon is running but the Telnet connection times out, check the IP connectivity. |
1DNS = Domain Naming System
2PPP = Point-to-Point Protocol 3PAP = Password Authentication Protocol 4CHAP = Challenge Handshake Authentication Protocol |
This section describes the procedure to recover a lost login or to enable a password. The procedure differs depending on the platform and the software used, but in all cases, password recovery requires that the switch router be taken out of operation and powered down.
If you need to perform the following procedure, make certain that there are secondary systems that can temporarily serve the functions of the switch router undergoing the procedure. If this is not possible, advise all potential users and, if possible, perform the procedure during low-use hours.
Note Make a note of your password, and store it in a secure place. |
All of the procedures for recovering lost passwords depend on changing the configuration register of the switch router. This is done by reconfiguring the switch router software.
More recent Cisco platforms run from Flash memory or are netbooted from a network server and can ignore the contents of nonvolatile random-access memory (NVRAM) when booting. By ignoring the contents of NVRAM, you can bypass the configuration file (which contains the passwords) and gain complete access to the switch router. You can then recover the lost password or configure a new one.
Note If your password is encrypted, you cannot recover it. You must configure a new password. |
Follow these steps to recover a password:
Step 2 Power cycle the switch router.
Step 3 Within 60 seconds of turning the switch router On, press the Break key sequence or send a break signal, which is usually ^]. If you do not see the >
prompt with no switch router name, the terminal is not sending the correct Break signal. In that case, check the terminal or terminal emulation setup.
Step 4 Enter the confreg command at the >
prompt.
Step 5 Answer yes to the Do you wish to change configuration [y/n]?
prompt.
Step 6 Answer no to all the questions that appear until you reach the Ignore system config info [y/n]
prompt. Answer yes.
Step 7 Answer no to the remaining questions until you reach the Change boot characteristics [y/n]?
prompt. Answer yes.
Step 8 At the enter to boot: prompt, enter 2.
Step 9 Answer no to the Do you wish to change configuration [y/n]?
prompt.
Step 10 Enter the reset command at the rommon>
prompt.
Step 11 Enter the enable command at the Switch>
prompt. You'll be in enable mode and see the Switch#
prompt.
Step 12 Enter the show startup-config command to view your password.
Step 13 If your password is clear text, proceed to Step 16.
or
If your password is encrypted, continue with Step 14.
Step 14 If your password is encrypted, enter the configure memory command to copy the NVRAM into memory.
Step 15 Enter the copy running-config startup-config command.
Step 16 Enter the configure terminal command.
Step 17 Enter the enable secret password command.
Step 18 Enter the config-register value command, where value is whatever value you entered in Step 1.
Step 19 Enter the exit command to exit configuration mode.
Step 20 Enter the copy running-config startup-config command.
Step 21 Enter the reload command at the prompt.
Posted: Wed Jan 22 00:09:48 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.