dsterling
asked on
Can't configure console login, getting the message "AAA: Warning authentication list "cisco" is not defined for LOGIN"
I want to configure the console login and password for a Cisco 3750 switch and I'm getting the message "AAA: Warning authentication list "cisco" is not defined for LOGIN", for example, if I want to use cisco as the login so that at the Username: I would enter cisco, but I'm getting the above message when I try to configure it. I want to be able to configure the username for console access to the switch?
ASKER
It will not except login local, see results below
Switch(config)#username cisco password 12345
Switch(config)#line con 0
Switch(config-line)#login local
^
% Invalid input detected at '^' marker.
Switch(config-line)#
Switch(config)#username cisco password 12345
Switch(config)#line con 0
Switch(config-line)#login local
^
% Invalid input detected at '^' marker.
Switch(config-line)#
Please post the current config of the switch.
ASKER
Here it is, all interfaces are the same and I took out the QOS statements and the crypto pki statements.
Switch#sh run
Building configuration...
Current configuration: 15855 bytes
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Switch_01
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
enable secret 5 <concealed>
enable password 7 <concealed>
!
username netadmin privilege 15 password 7 <concealed>
username netadmin1 privilege 15 password 7 <concealed>
username netadmin2 privilege 15 password 7 <concealed>
username netadmin3 privilege 15 password 7 <concealed>
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login vty-in group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 cmds1 start-stop group tacacs+
aaa accounting commands 15 cmds15 start-stop group tacacs+
aaa accounting network default stop-only group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDST recurring
switch 1 provision ws-c3750-48p
system mtu routing 1500
ip subnet-zero
ip domain-name <concealed>
ip name-server 192.168.2.25
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree vlan 1 priority 24576
!
vlan internal allocation policy ascending
!
!
class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
match ip dscp cs3 af31
!
!
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
!
!
!
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 10
spanning-tree portfast
interface Vlan1
ip address 192.168.110.2 255.255.255.0
!
interface Vlan10
no ip address
!
ip classless
ip http server
ip http secure-server
!
ip tacacs source-interface Vlan1
!
logging trap debugging
logging <concealed>
logging <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
!
snmp-server community <concealed>
snmp-server community <concealed>
snmp-server community <concealed>
snmp-server contact <concealed>
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps config
snmp-server host <concealed>
tacacs-server host <concealed>
tacacs-server host <concealed>
no tacacs-server directed-request
tacacs-server key <concealed>
!
control-plane
line con 0
password 7 <concealed>
accounting commands 1 cmds1
accounting commands 15 cmds15
login authentication cisco
line vty 0 4
exec-timeout 61 0
password 7 <concealed>
accounting commands 1 cmds1
accounting commands 15 cmds15
login authentication vty-in
length 0
transport input ssh
line vty 5 15
password 7 <concealed>!
end
Switch#sh run
Building configuration...
Current configuration: 15855 bytes
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Switch_01
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
enable secret 5 <concealed>
enable password 7 <concealed>
!
username netadmin privilege 15 password 7 <concealed>
username netadmin1 privilege 15 password 7 <concealed>
username netadmin2 privilege 15 password 7 <concealed>
username netadmin3 privilege 15 password 7 <concealed>
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login vty-in group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 cmds1 start-stop group tacacs+
aaa accounting commands 15 cmds15 start-stop group tacacs+
aaa accounting network default stop-only group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDST recurring
switch 1 provision ws-c3750-48p
system mtu routing 1500
ip subnet-zero
ip domain-name <concealed>
ip name-server 192.168.2.25
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree vlan 1 priority 24576
!
vlan internal allocation policy ascending
!
!
class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-all AutoQoS-VoIP-Control-Trust
match ip dscp cs3 af31
!
!
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
police 320000 8000 exceed-action policed-dscp-transmit
class AutoQoS-VoIP-Control-Trust
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
!
!
!
!
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 10
spanning-tree portfast
interface Vlan1
ip address 192.168.110.2 255.255.255.0
!
interface Vlan10
no ip address
!
ip classless
ip http server
ip http secure-server
!
ip tacacs source-interface Vlan1
!
logging trap debugging
logging <concealed>
logging <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
access-list 1 permit <concealed>
!
snmp-server community <concealed>
snmp-server community <concealed>
snmp-server community <concealed>
snmp-server contact <concealed>
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps config
snmp-server host <concealed>
tacacs-server host <concealed>
tacacs-server host <concealed>
no tacacs-server directed-request
tacacs-server key <concealed>
!
control-plane
line con 0
password 7 <concealed>
accounting commands 1 cmds1
accounting commands 15 cmds15
login authentication cisco
line vty 0 4
exec-timeout 61 0
password 7 <concealed>
accounting commands 1 cmds1
accounting commands 15 cmds15
login authentication vty-in
length 0
transport input ssh
line vty 5 15
password 7 <concealed>!
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I took out the lines suggested so that there is nothing configured for line con 0, then I configure the username and password, then went in the line con 0 and still can't use the login local command (see below).
Switch(config-line)#login local
^
% Invalid input detected at '^' marker.
Switch(config-line)#login ?
authentication Authentication parameters.
Switch(config-line)#login local
^
% Invalid input detected at '^' marker.
Switch(config-line)#login ?
authentication Authentication parameters.
I've never run across that before. It appears that the AAA configuration is preventing you from selecting local login.
Hopefully one of the security guys will have an idea.
Hopefully one of the security guys will have an idea.
ASKER
Appreciate all you help, I'll wait to see if anyone else responds, if not I'll resubmit the question and give you credit.
Problem now is that the question is a few days old with a few posts. Not many people look at questions like that.
I don't know how, but you can create a new question that points to this one. You might ask one of the moderators how.
I don't know how, but you can create a new question that points to this one. You might ask one of the moderators how.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked great!
Open in new window