|
|
This chapter describes troubleshooting information relating to security implementations and contains the following sections:
If you want detailed information about configuring and using Terminal Access Controller Access Control System+ (TACACS+), refer to the LightStream 1010 ATM Switch Software Configuration Guide and LightStream 1010 ATM Switch Software Command Reference publication. In addition, for TACACS+, download the TACACS+ User Guide from the TACACS+ Software Images page on Cisco Connection Online.
Symptom: Errors are generated when unarchiving the TACACS+ archive file (tac_plus.2.1.tar).
Table 8-1 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
Archive file was not transferred using FTP1 binary (image) mode | The TACACS+ archive file must be transferred using FTP binary (image) mode. FTP the tac_plus.2.1.tar file again using FTP binary transfer mode. From the FTP command line, enter the image command to set the image mode. For other FTP software, refer to your documentation for instructions on setting the image mode. |
Make sure there is sufficient disk space for the expanded tac_plus.2.1.tar file. If there is not enough space on your UNIX system, create enough free disk space to accommodate decompression of the file. TACACS+ requires about 900 KB. |
| 1FTP = File Transfer Protocol |
Symptom: Attempts to compile the TACACS+ daemon result in errors.
Table 8-2 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
make is not in $PATH or is not installed on the UNIX machine | Step 1 Enter the command which make at the UNIX prompt. If the output says "No make in $PATH...," make is not in the specified path or is not installed. Step 2 If make is already installed, modify the $PATH variable to include the directory in which make is located. If make is not installed, see your system administrator for help installing it. Step 3 Compile the TACACS+ daemon again. |
gcc is not in $PATH or is not installed correctly | Step 1 Enter the command which gcc at the UNIX prompt. If the output says "No gcc in $PATH...," gcc is not in the specified path or is not installed. Step 2 If gcc is already installed, modify the $PATH variable to include the directory in which gcc is located. If gcc is not installed, ask your system administrator to install it. Step 3 Compile the TACACS+ daemon again. |
Your UNIX platform must be listed and uncommented in the Makefile for make to compile the TACACS+ source code properly. The Makefile is located in the tac_plus.2.1 directory. Step 1 Make sure that your UNIX platform is not commented out in the Makefile. Step 2 If your platform is not listed at all, see your system administrator for help compiling the source code. The only supported platforms are those listed in the Makefile. Step 3 Compile the TACACS+ daemon again. |
Symptom: The TACACS+ daemon is not running.
Table 8-3 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
Launch TACACS+ with the command tac_plus -C configuration filename. | |
TACACS+ is not specified in the /etc/services file | Step 1 Check the /etc/services file for the following line: tacacs 49/tcp Step 2 This line must be included in the file. If the line is not present, add the line to the file. |
The TACACS+ daemon cannot run if the tac_plus executable does not exist. Step 1 Check the directory where you installed tac_plus.2.1 to see if the tac_plus file exists. Step 2 If the file does not exist, use the make tac_plus command to compile tac_plus. |
Symptom: The TACACS+ daemon does not run when invoked.
Table 8-4 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
Step 1 Check the directory in which you installed TACACS+ for a configuration file in the TACACS+ format. Step 2 If there is no TACACS+ configuration file present and you are upgrading from XTACACS, convert your password file into a configuration file by issuing the following command: unix_host% convert.pl /etc/passwd > configuration-file The configuration file can have any name you want. Step 3 If there is no TACACS+ configuration file present, create one using a text editor. At a minimum, the configuration file must contain the following text: user = userid {
login = cleartext "passwd"
}
The configuration file can have any name you want. For more information, refer to the user's guide located in the tac_plus.2.1 directory. |
Symptom: Users cannot log in using TACACS+. Either users cannot get the Username prompt or they get the prompt but authentication or authorization fails.
Table 8-5 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
Step 1 Use the show running-config privileged EXEC command to view the local switch configuration. Look for the following commands: aaa new-model aaa authentication login default tacacs+ enable [...] tacacs-server host name tacacs-server key key where name is the IP address or DNS1 host name of the TACACS+ server and key is the authentication and encryption key. Step 2 If all of these commands are not present, add the missing commands to the configuration. If there is no key configured on the TACACS+ daemon, the tacacs-server key command is not necessary. | |
aaa authorization command is present | Step 1 Use the show running-config privileged EXEC command to view the local switch configuration. Look for an aaa authorization exec tacacs+ global configuration command entry. Step 2 If the command is present, remove it from the configuration using the no version of the command. |
If PPP is not functioning properly, problems will occur when using TACACS+. Use the debug ppp negotiation privileged EXEC command to see if both sides are communicating. For information on configuring PPP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference publications. | |
Step 1 Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command: aaa authentication ppp default if-needed tacacs+ Step 2 If the command is not present, add it to the configuration. Step 3 In addition, check the configuration of the async interface being used. The interface must have the following commands configured: encapsulation ppp ppp authentication pap Step 4 If these commands are not present, add them to the interface configuration. | |
Step 1 Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command: aaa authentication ppp default if-needed tacacs+ Step 2 If the command is not present, add it to the configuration. Step 3 In addition, check the configuration of the async interface being used. The interface must have the following commands configured: encapsulation ppp ppp authentication chap Step 4 If these commands are not present, add them to the interface configuration. Step 5 Make sure your daemon configuration file, located in the tac_plus.2.1 directory, includes one of the following lines, as appropriate: chap = cleartext password or global = cleartext password | |
Step 1 Check to make sure that the appropriate username and password pairs are contained in the /etc/passwd file. Step 2 If the appropriate users are not specified, generate a new user with the correct username and password using the add user command. | |
There is no TCP connection to the TACACS+ daemon | Step 1 From the switch, try to connect to port 49 using Telnet on the TACACS+ daemon. Step 2 If using Telnet is unsuccessful, make sure the daemon is running. For more information, refer to the section "Daemon Is Not Up and Running" earlier in this chapter. Step 3 If the daemon is running but the Telnet connection times out, check the IP connectivity. |
| 1DNS = Domain Naming System 2PPP = Point-to-Point Protocol 3PAP = Password Authentication Protocol 4Chap = Challenge Handshake Authentication Protocol |
This section describes the procedure to recover a lost login or to enable a password. The procedure differs depending on the platform and the software used, but in all cases, password recovery requires that the switch be taken out of operation and powered down.
If you need to perform the following procedure, make certain that there are secondary systems that can temporarily serve the functions of the switch undergoing the procedure. If this is not possible, advise all potential users and, if possible, perform the procedure during low-use hours.
All of the procedures for recovering lost passwords depend on changing the configuration register of the switch. This is done by reconfiguring the switch software.
More recent Cisco platforms run from Flash memory or are netbooted from a network server and can ignore the contents of nonvolitile random-access memory (NVRAM) when booting. By ignoring the contents of NVRAM, you can bypass the configuration file (which contains the passwords) and gain complete access to the switch. You can then recover the lost password or configure a new one.
Figure 8-1 is a flow chart of the password recovery procedure.
Following is the password-recovery procedure:
Step 1 Power the switch off and back on.
Step 2 Use the break key sequence for your terminal or terminal emulation software within 60 seconds of turning on the power.
The ROM monitor (>) prompt will appear.
Step 3 Enter the command, e/s 2000002. This command examines the short (16-bit) memory location for the software configuration register.
Record the output resulting from this command. This output is the software configuration register value.
Step 4 Enter q (quit) to return to the ROM monitor (>) prompt.
Step 6 Enter i (initialize) at the ROM monitor (>) prompt. The switch reboots.
Step 7 Answer no to all of the Setup questions.
Step 8 Enter the enable EXEC command at the Switch> prompt.
Step 9 Enter the show startup-config or show configuration privileged EXEC command to see if your password is cleartext (is not encrypted) or if it is encrypted.
Step 10 If your password is cleartext, proceed to Step 14.
or
If your password is encrypted, continue with Step 11.
Step 11 If your password is encrypted, enter the configure memory privileged EXEC command. This transfers the stored configuration into running memory.
Step 12 Enter the configure terminal privileged EXEC command to enter switch configuration mode.
Step 13 If you lost the enabled password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
If you lost the login password, configure the console line using the login and password line configuration commands. Enter ^Z to exit configuration mode and proceed to Step 15.
Step 14 If you lost the enabled password, locate the enable-password global configuration command entry in the configuration and record the password.
If you lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command.
Step 15 Use the copy running-config startup-config or write memory privileged EXEC command to write the configuration into running memory.
 | Caution Issuing the copy running-config startup-config or write memory command at this point will overwrite the configuration. Make certain you have a backup of your configuration file. |
Step 16 The switch is now fully functional, and you can use your recovered or reconfigured passwords as usual.
Step 17 In privileged EXEC mode, enter switch configuration mode using the configure terminal privileged EXEC command.
Step 18 Change the software configuration register to its original value using the config-register global configuration command. Enter 0x and then the software configuration register value that you recorded in Step 3. Using the example value of 2102, the command would be config-register 0x2102.
Step 19 Exit from switch configuration mode by entering ^Z.
The next time the switch is power cycled or restarted with the reload privileged EXEC command, the bootup process will proceed as normal. Use your new or recovered password to gain access to the switch after it reboots.
Posted: Tue Jun 22 14:10:40 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.