|
|
This chapter outlines troubleshooting information relating to security implementations. The first part of the chapter describes problems commonly encountered in TACACS+ and XTACACS security implementations. The section "Recovering a Lost Password" describes password recovery procedures for common Cisco router platforms.
The TACACS+ and XTACACS sections describe specific symptoms, the problems that are likely to cause each symptom, and the solutions to those problems.
The sections on troubleshooting TACACS+ include the following:
The sections on troubleshooting XTACACS include the following:
If you want detailed information about configuring and using TACACS+ and XTACACS, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference. In addition, for TACACS+, download the TACACS+ User Guide from the TACACS+ Software Images page on Cisco Connection Online (CCO). For more information about XTACACS, refer to the README file that you downloaded with your XTACACS source file.
Symptom: Errors are generated when unarchiving the TACACS+ archive file (tac_plus.2.1.tar).
Table 22-1 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: Attempts to compile the TACACS+ daemon result in errors.
Table 22-2 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: The TACACS+ daemon is not running.
Table 22-3 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: The TACACS+ daemon does not run when invoked.
Table 22-4 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: Users cannot log in using TACACS+. Either users cannot get the "Username" prompt or they get the prompt but authentication or authorization fails.
Table 22-5 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
| Router missing minimum configuration | Step 1 Use the show running-config privileged EXEC command to view the local router configuration. Look for the following commands:
aaa authentication login default tacacs+ enable [...]
tacacs-server host name
tacacs-server key key
where name is the IP address or DNS1 hostname of the TACACS+ server and key is the authentication and encryption key. Step 2 If all of these commands are not present, add the missing commands to the configuration. If there is no key configured on the TACACS+ daemon, the tacacs-server key command is not necessary. |
| aaa authorization command present | Step 1 Use the show running-config privileged EXEC command to view the local router configuration. Look for an aaa authorization exec tacacs+ global configuration command entry.
Step 2 If the command is present, remove it from the configuration using the no version of the command. |
| PPP not functioning correctly | If PPP is not functioning properly, problems will occur when using TACACS+. Use the debug ppp negotiation privileged EXEC command to see if both sides are communicating.
For information on configuring PPP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference. |
| PAP is misconfigured | Step 1 Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command:
Step 2 If the command is not present, add it to the configuration. Step 3 In addition, check the configuration of the async interface being used. The interface must have the following commands configured:
ppp authentication pap Step 4 If these commands are not present, add them to the interface configuration. |
| CHAP is misconfigured | Step 1 Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command:
Step 2 If the command is not present, add it to the configuration. Step 3 In addition, check the configuration of the async interface being used. The interface must have the following commands configured:
ppp authentication chap Step 4 If these commands are not present, add them to the interface configuration. Step 5 Make sure your daemon configuration file, located in the tac_plus.2.1 directory, includes one of the following lines, as appropriate:
password
or
password
|
| Step 1 Check to make sure that the appropriate username and password pairs are contained in the /etc/passwd file.
Step 2 If the appropriate users are not specified, generate a new user with the correct username and password using the add user command. | |
| No TCP connection to TACACS+ daemon | Step 1 From the router, try to Telnet to port 49 on the TACACS+ daemon.
Step 2 If the Telnet is unsuccessful, make sure the daemon is running. For more information, refer to the section "TACACS+" earlier in this chapter. Step 3 If the daemon is running but the Telnet times out, check IP connectivity. For more information, see the "Troubleshooting TCP/IP" chapter. |
Symptom: Error messages are generated when unarchiving the XTACACS archive file (either xtacacsd.tar.z or xtacacsd.tar).
Table 22-6 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: Attempts to compile the XTACACS daemon result in errors.
Table 22-7 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: The XTACACS daemon is not up and running.
Table 22-8 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: The response time from the XTACACS daemon is slow. Users have to wait a long time before being prompted for their username and password.
Table 22-9 outlines the problems that might cause this symptom and describes solutions to those problems.
Symptom: Users cannot log in using XTACACS. Either users cannot get the "Username" prompt or they get the prompt but authentication or authorization fails.
Table 22-10 outlines the problems that might cause this symptom and describes solutions to those problems.
| Possible Problem | Solution |
|---|---|
| Missing login tacacs command | Step 1 Use the show running-config privileged EXEC command on the router to see if the login tacacs line configuration command is present.
Step 2 If the command is not present, add the command on each line that should use XTACACS. For example, to configure line 2 to use XTACACS, enter the following commands:
line 2
C2500(config-line)# login tacacs
For detailed information on configuring XTACACS, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference. |
| Router does not have minimum XTACACS configuration | Step 1 Use the show running-config privileged EXEC command to view the local router configuration. Look for the following commands:
name
tacacs-server extended where name is the DNS hostname or IP address of the XTACACS server. Step 2 If these commands are not present, add them to the configuration. |
| PPP not functioning correctly | If PPP is not functioning properly, problems will occur when using XTACACS. Use the debug ppp negotiation privileged EXEC command to see if both sides are communicating.
For information on configuring PPP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference. |
| PAP is misconfigured | Step 1 Use the show running-config privileged EXEC command to make sure the router is configured for PAP authentication. The router configuration should include the following interface configuration commands for each async interface that should use PAP authentication:
ppp use-tacacs Step 2 If the commands are not present, add them to the configuration. |
| CHAP is misconfigured | Step 1 Use the show running-config privileged EXEC command to make sure the router is configured for CHAP authentication. The router configuration should include the following interface configuration commands for each async interface that should use CHAP authentication:
ppp authentication chap ppp use-tacacs Step 2 If the commands are not present, add them to the configuration. |
| No CHAP supplementary file defined on XTACACS server | Step 1 Check to see if there is a CHAP supplementary file defined on the XTACACS server. This file should be located in the xtacacsd directory.
Step 2 If there is not, create a supplementary file. The file should contain a list of usernames and cleartext CHAP passwords in the following format: user:#:#:ARAP password:CHAP password
Note: You cannot use /etc/passwd with CHAP. Step 3 Once the supplementary file is created, restart the XTACACS daemon with the following command: xtacacsd -s -l -f supplementary-filename
|
| Step 1 Make sure that the appropriate username and password pairs are contained in the /etc/passwd file.
Step 2 If the appropriate users are not specified, generate a new user with the correct username and password using the add user command. | |
| IP connectivity problem | For information on troubleshooting IP connectivity, see the "Troubleshooting TCP/IP" chapter. |
The following procedures describe the steps required to recover a lost login or enable password. The procedure differs depending on the platform and the software used, but in all cases, password recovery requires that the router be taken out of operation and powered down.
If you need to perform one of the following procedures, make certain that there are secondary systems that can temporarily serve the functions of the router undergoing the procedure. If this is not possible, advise all potential users and, if possible, perform the procedure during low-use hours.
All of the procedures for recovering lost passwords depend upon changing the configuration register of the router. Depending on the platform and software you are using, this will be done by reconfiguring the router software or by physically moving a jumper or DIP switch on the router.
Table 22-11 shows which platforms have configuration registers in software and which require that you change the jumper or DIP switch position to change the configuration register.
More recent Cisco platforms run from Flash memory or are netbooted and can ignore the contents of NVRAM upon booting. (Cisco 7000 series routers that boot from Flash memory or netboot have this capability as well; a Cisco 7000 that boots from ROM has this capability if it is running Cisco IOS Release 10.0 or later.) Ignoring the contents of NVRAM permits you to bypass the configuration file (which contains the passwords) and gain complete access to the router. You can then recover the lost password or configure a new one.
Figure 22-1 shows a flow chart describing the password recovery procedure for the following platforms:
Some of these platforms are configurable in software. Others require that you physically change the position of the configuration register jumper on the processor card. Figure 22-1 shows diverging paths, when necessary, to take you through the steps required for the platform and software with which you are working.
Refer to Table 22-11 to determine if the platform with which you are working is configurable in software, or if it requires you to physically move the jumper.
The following procedure describes the password recovery process for the following platforms only:
For the platforms listed, be certain to follow the path labeled "Cisco 2000, 2500, 3000, 4000 series; Cisco 7000 series running Software Release 9.17(4) or later (Flash/netboot) or Cisco IOS Release 10.0 or later (ROM); IGS running Software Release 9.1 or later " in the flowchart (see Figure 22-1).
For the step-by-step password recovery sequence for other platforms, see one of the following sections: "Password Recovery Procedure," "Password Recovery Procedure," "Password Recovery Procedure," or "Password Recovery Procedure."
Following is the password-recovery procedure for Cisco platforms running current Cisco IOS software:
Step 1 Power cycle the router.
Step 2 Use the break key sequence for your terminal or terminal emulation software within 60 seconds of turning on the power.
The ROM monitor (>) prompt will appear.
Step 3 Enter the command, e/s 2000002. (For Cisco 7000 series routers, enter e/s XXXXXXXX.) This command examines the short (16-bit) memory location for the software configuration register.
Record the output resulting from this command. This is the software configuration register value.
Step 4 Enter q (quit) to return to the ROM monitor (>) prompt.
Step 5 Enter the o/r 0x42 command. The value 42 sets the software configuration register bit to position 6, which allows the router to ignore the contents of NVRAM when booting. (Be sure to enter 0x followed by the configuration register value.)
Step 6 Enter i (initialize) at the ROM monitor (>) prompt. The router will reboot.
Step 7 Answer no to all of the Setup questions.
Step 8 Enter the enable EXEC command at the Router> prompt.
Step 9 Enter the show startup-config or show configuration privileged EXEC command to see if your password is clear text (is not encrypted) or if it is encrypted.
Step 10 If your password is clear text, proceed to Step 14.
or
If your password is encrypted, continue with Step 11.
Step 11 If your password is encrypted, enter the configure memory privileged EXEC command. This transfers the stored configuration into running memory.
Step 12 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 13 If you lost the enable password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
If you lost the login password, configure the console line using the login and password line configuration commands. Enter ^Z to exit configuration mode and proceed to Step 15.
Step 14 If you lost the enable password, locate the enable-password global configuration command entry in the configuration and record the password.
If you lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command.
Step 15 Use the copy running-config startup-config or write memory privileged EXEC command to write the configuration into running memory.
 | Caution Issuing the copy running-config startup-config or write memory command at this point on a Cisco 2500, Cisco 3000, or Cisco 4000 will overwrite the configuration. Make certain you have a backup of your configuration file. |
Step 16 The router is now fully functional, and you can use your recovered or reconfigured passwords as usual.
Step 17 In privileged EXEC mode, enter router configuration mode using the configure terminal privileged EXEC command.
Step 18 Change the software configuration register to its original value using the config-register global configuration command. You must enter 0x and then the software configuration register value that you recorded in Step 3. Using the example value of 2102, the command would be config-register 0x2102.
Step 19 Exit from router configuration mode by entering ^Z.
The next time the router is power cycled or restarted with the reload privileged EXEC command, the bootup process will proceed as normal. Use your new or recovered password to gain access to the router after it reboots.
The Cisco CGS, MGS, AGS, and AGS+ platforms, and Cisco 7000 series routers running software prior to Cisco IOS Release 10.0 from ROM, all have their configuration registers in hardware, so you must physically change the position of the configuration register jumper during the password recovery process.
It might be necessary to remove the processor card from the router chassis in order to access the hardware configuration register jumper. Consult your hardware documentation for detailed instructions on removing and inserting the processor card from the router chassis if necessary.
Moving the hardware configuration register jumper to bit position 6 allows the router to ignore the contents of NVRAM while booting. This permits you to bypass the configuration file (and therefore the passwords) and gain complete access to the router. You can then recover the lost password or configure a new one.
Figure 22-1 shows a flow chart describing the password recovery procedure for the following platforms:
Some of these platforms are configurable in software and do not require a hardware change. Others require that you physically change the position of the configuration register jumper on the processor card. Figure 22-1 takes you through the steps required for the platform and software with which you are working, and shows diverging paths when necessary to account for platform-specific requirements.
Refer to Table 22-11 to determine if the platform on which you are working is configurable in the software, or if it requires you to physically move the jumper.
The following textual procedure describes the password recovery process for the following platforms only:
For these platforms, follow the path labeled "Cisco CGS, MGS, AGS, AGS+ running Software Release 9.1(7) or later; Cisco 7000 series running Software Release 9.17(4) through 9.21 from ROM" in the flowchart (see Figure 22-1).
For the step-by-step password recovery sequence for other platforms, see one of the following sections: "Password Recovery Procedure," "Password Recovery Procedure," "Password Recovery Procedure," or "Password Recovery Procedure."
Following is the password-recovery procedure for Cisco platforms running recent software releases:
Step 1 Power down the router.
Step 2 Change the hardware configuration register by moving the jumper from bit position 0 (zero) or 1 to bit position 6.
This will force the router to ignore the contents of NVRAM, and therefore the configuration file, after it loads the operating system. Note the original position of the jumper.
Step 3 Power up the router.
The router will boot but will ignore the contents of NVRAM and enter the Setup routine.
Step 4 Answer no to all of the Setup questions.
The Router> prompt appears.
Step 5 Enter the enable EXEC command.
Step 6 Enter the show configuration privileged EXEC command to see if the password is clear text (is not encrypted) or if it is encrypted.
If the password is clear text, go to Step 10. If the password is encrypted, continue with Step 7.
Step 7 If the password is encrypted, enter the configure memory privileged EXEC command. This writes the stored configuration into running memory.
Step 8 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 9 If you have lost the enable password, use the enable-password global configuration command to configure a new password.
If you have lost the login password, configure the console line with a new login password using the login and password line configuration commands. Press ^Z to exit configuration mode. Proceed to Step 11.
Step 10 If you have lost the enable password, locate the enable-password global configuration command entry and record the password.
If you have lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command.
Step 11 Use the write memory privileged EXEC command to write the configuration into running memory.
Step 12 The router is now fully functional and you can use your recovered or reconfigured passwords as usual.
Step 13 Power down the router.
Step 14 Move the hardware configuration register jumper from bit position 6 to its original position (the position you noted in Step 2).
It might be necessary to remove the processor card to gain access to the jumper. Consult your hardware documentation for complete instructions on removing and inserting the processor card if necessary. If you had to remove the processor card, reinsert it before continuing.
Step 15 Power up the router. Use your new or recovered password to gain access to the router.
Cisco CGS, MGS, AGS, and AGS+ platforms, and Cisco 7000 series routers running software prior to Cisco IOS Release 10.0 from ROM, all have their configuration registers in the hardware, so you must physically change the position of the configuration register jumper during the password recovery process.
It might be necessary to remove the processor card from the router chassis in order to access the hardware configuration register jumper. Consult your hardware documentation for detailed instructions on removing and inserting the processor card from the router chassis if necessary.
Figure 22-2 shows a flowchart that describes the password recovery procedure for the following platforms:
The step-by-step procedure that follows and the password recovery flow chart shown in Figure 22-2 apply only to the indicated platforms running the indicated software. There is another procedure for recovering a password on these platforms if they are running more recent software. See the previous section, "Password Recovery Procedure."
Following is the password-recovery procedure for Cisco platforms running earlier software releases:
Step 1 Power down the router.
Step 2 Change the hardware configuration register by moving the jumper from bit position 0 (zero) or 1 to bit position 15.
Note the original position of the jumper.
Step 3 Power up the router. The ROM monitor (>) prompt appears.
Step 4 Enter b (bootstrap) at the (>) prompt.
Step 5 Press the Return key until the Test-System> prompt appears.
Step 6 Enter privileged mode by issuing the enable EXEC command.
Step 7 Enter the show configuration privileged EXEC command to see if the password is clear text (is not encrypted) or if it is encrypted.
If the password is clear text, go to Step 12.
or
If the password is encrypted, continue with Step 8.
Step 8 If the password is encrypted, enter the configure memory privileged EXEC command.
This writes the stored configuration into running memory.
Step 9 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 10 If you have lost the enable password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
If you have lost the login password, configure the console line with a new password using the login and password line configuration commands. Press ^Z to exit configuration mode.
Step 11 Use the write memory privileged EXEC command to write the configuration into running memory. Proceed to Step 13.
Step 12 If you have lost the enable password, locate the enable-password global configuration command entry in the configuration and record the password.
If you have lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command. Do not make configuration changes or use the write memory command at this time.
Step 13 Power down the router.
Step 14 Remove the processor card and move the hardware configuration register jumper from bit position 15 to its original position (the position you noted in Step 2).
Step 15 Power up the router. Use your new or recovered password to gain access to the router.
Cisco IGS routers have a bank of DIP switches located on the rear panel. These DIP switches are used to set the hardware configuration register and must used in the password recovery process if the router is running system software prior to Software Release 9.1.
Figure 22-3 shows the password recovery procedure for the Cisco IGS running software prior to Software Release 9.1. There is another procedure for the IGS platform if it is running Software Release 9.1 or later. See the section "Password Recovery Procedure."
Following is the password-recovery procedure for IGS routers running software prior to Software Release 9.1:
Step 1 Power down the router.
Step 2 Record the settings of the DIP switches located on the rear panel of the router. You will need to return these switches to their original positions after you have recovered your password.
Step 3 Set switch number 7 to the ON position (down).
Step 4 Set switches 0-3 to the OFF position (up).
Step 5 Power up the router.
The router will boot up, and the terminal will display the ROM monitor (>) prompt.
Step 6 Enter b (bootstrap) at the (>) prompt.
Step 7 Press the Return key until the Test-System> prompt appears.
Step 8 Enter the enable privileged EXEC command at the Test-System> prompt.
Step 9 If the password is clear text (is not encrypted), go to Step 14.
If the password is encrypted, continue with Step 10.
Step 10 If the password is encrypted, enter the configure memory privileged EXEC command. This writes the stored configuration into running memory.
Step 11 Enter the configure terminal privileged EXEC command to enter router configuration mode.
Step 12 If you have lost the enable password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.
If you have lost the login password, configure a new password on the console line using the login and password line configuration commands. Press ^Z to exit configuration mode.
Step 13 Enter the write memory privileged EXEC command to write the configuration changes into stored memory. Proceed to Step 16.
Step 14 If your password is clear text (is not encrypted), enter the show configuration privileged EXEC command.
Step 15 If you have lost the enable password, locate the enable-password global configuration command entry in the configuration and record the password.
If you have lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command. Do not make configuration changes or use the write memory command at this time.
Step 16 Power down the router.
Step 17 Return the hardware configuration register DIP switches located on the back panel of the router to their original settings (the settings you noted in Step 2).
Step 18 Power up the router. Use your new or recovered password to gain access to the router.
Lost passwords cannot be recovered from Cisco 500-CS communication servers. The only way to recover from a lost password is to return the communication server to its factory default configuration using the reset button located on the top of the case.
The following procedure describes how to restore the Cisco 500-CS to its default configuration.
| Caution When you perform this procedure, your configuration will be lost. |
Step 1 Power down the communication server.
Step 2 Press and hold down the reset button on the top of the case while turning on the power to the communication server.
Step 3 The 500-CS is returned to its factory default configuration.
You must reconfigure the communication server.
|
|