I would do a debug on your TACACS+ server while you are trying this.
I'll assume that you only want to use TACACS authentication and only fall-back to local logins if it can't access the server?
Try using this:
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
Also see this site: It has some good examples and explanations
http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i13896_heada_4_2#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTA1OTY1MjcyMjUlMkZpNTAzNjNfX2hlYWRhX180XzEmcXVlcnk9
My guess is that since you have the "local" keyword in:
aaa authentication login default group tacacs+ local line
The TACACS+ authentication returns a fail, so the router tries doing local authentication. I guess you should provide us with the line vty sanitized configuration.
If you have
line vty 0 15
login local
Then it would do a username/password authentication otherwise its doing password
Hope this helps as I had the same issue and this corrected the problem.
568750 - False Duplicate IP detection on Logix Ethernet modules when used with Cisco switches
Access Level: Everyone
Date Created: 10/22/2013 10:54 AM
Last Updated: 08/27/2014 10:33 AM
Problem
When Logix Ethernet modules are connected to a subnet containing Cisco switches with "ip device tracking" (IPDT) enabled, the modules may go into a duplicate IP address state after a restart/reset.
Environment
Any layer two networks that contain both Logix Ethernet modules and Cisco switches running IPDT. IPDT is much more likely to be implemented on Cisco switches as of August, 2013 because of a behavior change which enables this command if any feature which requires it is enabled. This behavior change also removes the ability to turn off IPDT without first turning off any features which require IPDT.
The Stratix line of switches will not have “ip device tracking” enabled by default until a permanent solution is in place.
Cause
The IPDT feature sends probe ARP packets with a source IP address of 0.0.0.0., the source MAC ID of the switch, and the target IP and MAC ID for the device being probed to check that it is still connected and responsive.
When a device becomes disconnected, and then is reconnected within the configurable IPDT timeout period, probe ARP packets may be received by a Logix Ethernet module at the same time as it is in its Address Conflict Detection mechanism. If this happens, the Logix Ethernet module will immediately go into a duplicate IP state, and stop communicating.
IPDT when activated on a Cisco switch will try to probe for every ip connected on the subnet, regardless of whether it is connected to that switch or not. Testing has shown that this affects the majority of Ethernet modules sold by Rockwell Automation.
Workaround
Several workarounds to this issue exist. They all make suggestions using Cisco IOS command-line interface commands.
Workaround 1
Architect manufacturing zone subnets such that:
1. IPDT is explicitly disabled on every trunk port with the following command:
Hostname (config-if)# ip device tracking maximum 0
2. IPDT probe delay is manually configured on any access port connected to a Rockwell Automation Ethernet module with the following command:
Hostname (config)# ip device tracking probe delay 10
Workaround 2
If the switch in question has an administration IP (SVI) configured on the subnet/VLAN in question the Cisco CLI command:
Hostname (config)# ip device tracking probe use-svi
will insert the administration IP into the source IP in the IPDT packet. This packet will not impact Address Conflict Detection operation.
Workaround 3
Disable IPDT on any Cisco switch ports with IPDT enabled that subsequently connect to a Rockwell Automation Ethernet module with the following command:
Hostname (config-if)# ip device tracking maximum 0
Solution
The permanent solution is under consideration.
Comments (1)
jbrodsky
06/04/2014 08:13 AM
This command does not work in all Cisco switch firmwares.
The command that worked for me was
Hostname (config-if) # nmsp attach suppress
and I later confirmed that it worked by issuing the following command
Hostname # show ip device tracking all
and the device should NOT show up in the list of enabled devices.
The alternative command that others have used to disable IP device tracking is
Hostname (config-if) # no ip device tracking max
But that had no effect for me using a 3850 stack with version 3.02.03.SE
The command was accepted but did not disable anything when I checked with showing device tracking.
Be forewarned that Cisco is having complaints about this issue and they are probably going to change the firmware yet again...
Reply | Flag as Inappropriate |
Post a Comment
Product Tree for This Answer (expand/collapse)Expand Product Tree for This Answer ID
Answers others found helpful
35072 - EtherNet/IP Duplicate Address Detection
118216 - Logix modules Duplicate IP address detection enhancement
51541 - 1756-ENBT display Duplicate IP scrolling over display
573991 - Unknown multicast traffic flooding network with 1783-ETAP with IGMP
42616 - IP addresses of Ethernet modules in a Redun
Best Answer
You are receiving the error because the "password" you are entering is not a proper MD5 hash. Check to verify that you are trying to enter a complete MD5 hash and that it is not another type of hash. Cleartext, Type 4 or Type 7 passwords will not suffice.
You may be trying to use a password obscured by a Vigenère cipher. The Vigenère cipher is often refered as a Type 7 password. It is associated with the
service password-encryptionandenable password 7 supersecretpwcommands.Type 7 password hashes look something like this:
098f6bcd4621d373cade4e832627b4f6Type 5 (MD5) hashes look a little something like this:
$1$jR5i$.HDBuKq.wIDOn2EYpCPYc0Cisco Type 5 hashes will always be comprised of 3 elements, separated by
$.For the above example:
Jeremy Stretch does a great write-up on how Cisco leverages MD5 here:
http://packetlife.net/blog/2008/jul/9/a-bit-more-detail-on-ios-password-hashes/