Troubleshooting guide

ManualsBrandsCisco ManualsComputer equipmentC8510-SRP - Switch Route Processor

451

452

453

454

455

456

457

458

459

460

(DRAFT LABEL) FINAL DRAFT - CISCO CONFIDENTIAL 2/13/02

B-5

ATM and Layer 3 Switch Router Troubleshooting Guide

OL-1969-01

Appendix Troubleshooting TACACS+ and Recovering Passwords

Recovering a Lost Password

This section describes the procedure to recover a lost login or to enable a password. The procedure

differs depending on the platform and the software used, but in all cases, password recovery requires that

the switch router be taken out of operation and powered down.

If you need to perform the following procedure, make certain that there are secondary systems that can

temporarily serve the functions of the switch router undergoing the procedure. If this is not possible,

advise all potential users and, if possible, perform the procedure during low-use hours.

Note Make a note of your password, and store it in a secure place.

CHAP

is misconfigured 1. Use the show running-config privileged EXEC command to make sure your

configuration includes the following global configuration command:

aaa authentication ppp default if-needed tacacs+

2. If the command is not present, add it to the configuration.

3. In addition, check the configuration of the async interface being used. The

interface must have the following commands configured:

encapsulation ppp

ppp authentication chap

4. If these commands are not present, add them to the interface configuration.

5. Make sure your daemon configuration file, located in the tac_plus.2.1

directory, includes one of the following lines, as appropriate:

chap = cleartext password

global = cleartext password

Username and password are not in the

/etc/passwd file

1. Check to make sure that the appropriate username and password pairs are

contained in the /etc/passwd file.

2. If the appropriate users are not specified, generate a new user with the correct

username and password, using the add user command.

There is no TCP connection to the

TACACS+ daemon

1. From the switch router, try to connect to port 49 by using Telnet on the

TACACS+ daemon.

2. If the attempt to connect via Telnet is unsuccessful, make sure the daemon is

running. For more information, see the “Daemon Is Not Up and Running”

section on page B-3.

3. If the daemon is running but the Telnet connection times out, check the IP

connectivity.

1. DNS = Domain Naming System

2. PPP = Point-to-Point Protocol

3. PAP = Password Authentication Protocol

4. CHAP = Challenge Handshake Authentication Protocol

Table B-5 TACACS+: Users Cannot Log in Using TACACS+ (continued)

Possible Problem Solution