LightStream 1010 ATM Switch Troubleshooting Guide
Troubleshooting Security Implementations
Download this chapter
Troubleshooting Security ImplementationsTroubleshooting Security Implementations
give_us_feedback

Table of Contents

Troubleshooting TACACS+ and Recovering Passwords
 Errors Unarchiving Source File
 Cannot Compile Daemon
 Daemon Is Not Up and Running
 Daemon Does Not Run
 Users Cannot Connect Using TACACS+
 Recovering a Lost Password

Troubleshooting TACACS+ and Recovering Passwords

This chapter describes troubleshooting information relating to security implementations and contains the following sections:

If you want detailed information about configuring and using Terminal Access Controller Access Control System+ (TACACS+), refer to the LightStream 1010 ATM Switch Software Configuration Guide and LightStream 1010 ATM Switch Software Command Reference publication. In addition, for TACACS+, download the TACACS+ User Guide from the TACACS+ Software Images page on Cisco Connection Online.

Errors Unarchiving Source File

Symptom: Errors are generated when unarchiving the TACACS+ archive file (tac_plus.2.1.tar).

Table 8-1 outlines the problems that might cause this symptom and describes solutions to those problems.

Table 8-1   TACACS+: Errors Unarchiving Source File

Possible Problem Solution

Archive file was not transferred using FTP1 binary (image) mode

The TACACS+ archive file must be transferred using FTP binary (image) mode. FTP the tac_plus.2.1.tar file again using FTP binary transfer mode. From the FTP command line, enter the image command to set the image mode. For other FTP software, refer to your documentation for instructions on setting the image mode.

Insufficient disk space

Make sure there is sufficient disk space for the expanded tac_plus.2.1.tar file. If there is not enough space on your UNIX system, create enough free disk space to accommodate decompression of the file. TACACS+ requires about 900 KB.
1FTP = File Transfer Protocol

Cannot Compile Daemon

Symptom: Attempts to compile the TACACS+ daemon result in errors.

Table 8-2 outlines the problems that might cause this symptom and describes solutions to those problems.

Table 8-2   TACACS+: Cannot Compile Daemon

Possible Problem Solution

make is not in $PATH or is not installed on the UNIX machine

 Step 1. Enter the command which make at the UNIX prompt. If the output says "No make in $PATH...," make is not in the specified path or is not installed.

Step 2. If make is already installed, modify the $PATH variable to include the directory in which make is located.

If make is not installed, see your system administrator for help installing it.

Step 3. Compile the TACACS+ daemon again.

gcc is not in $PATH or is not installed correctly

 Step 1. Enter the command which gcc at the UNIX prompt. If the output says "No gcc in $PATH...," gcc is not in the specified path or is not installed.

Step 2. If gcc is already installed, modify the $PATH variable to include the directory in which gcc is located.

If gcc is not installed, ask your system administrator to install it.

Step 3. Compile the TACACS+ daemon again.

UNIX platform is commented out or is not in the Makefile

Your UNIX platform must be listed and uncommented in the Makefile for make to compile the TACACS+ source code properly. The Makefile is located in the tac_plus.2.1 directory.

Step 1. Make sure that your UNIX platform is not commented out in the Makefile.

Step 2. If your platform is not listed at all, see your system administrator for help compiling the source code. The only supported platforms are those listed in the Makefile.

Step 3. Compile the TACACS+ daemon again.

Daemon Is Not Up and Running

Symptom: The TACACS+ daemon is not running.

Table 8-3 outlines the problems that might cause this symptom and describes solutions to those problems.

Table 8-3   TACACS+: Daemon Is Not Up and Running

Possible Problem Solution

TACACS+ has not been launched

Launch TACACS+ with the command tac_plus -C configuration filename.

TACACS+ is not specified in the /etc/services file

 Step 1. Check the /etc/services file for the following line:
tacacs 49/tcp
 

Step 2. This line must be included in the file. If the line is not present, add the line to the file.

The tac_plus executable does not exist

The TACACS+ daemon cannot run if the tac_plus executable does not exist.

Step 1. Check the directory where you installed tac_plus.2.1 to see if the tac_plus file exists.

Step 2. If the file does not exist, use the make tac_plus command to compile tac_plus.

Daemon Does Not Run

Symptom: The TACACS+ daemon does not run when invoked.

Table 8-4 outlines the problems that might cause this symptom and describes solutions to those problems.

Table 8-4   TACACS+: Daemon Does Not Run

Possible Problem Solution

TACACS+ configuration file is not present

 Step 1. Check the directory in which you installed TACACS+ for a configuration file in the TACACS+ format.

Step 2. If there is no TACACS+ configuration file present and you are upgrading from XTACACS, convert your password file into a configuration file by issuing the following command:

unix_host% convert.pl /etc/passwd > configuration-file
 

The configuration file can have any name you want.

Step 3. If there is no TACACS+ configuration file present, create one using a text editor. At a minimum, the configuration file must contain the following text:

user = userid {
login = cleartext "passwd"
}
 

The configuration file can have any name you want.

For more information, refer to the user's guide located in the tac_plus.2.1 directory.

Users Cannot Connect Using TACACS+

Symptom: Users cannot log in using TACACS+. Either users cannot get the Username prompt or they get the prompt but authentication or authorization fails.

Table 8-5 outlines the problems that might cause this symptom and describes solutions to those problems.

Table 8-5   TACACS+: Users Cannot Log in Using TACACS+

Possible Problem Solution

Switch missing minimum configuration

 Step 1. Use the show running-config privileged EXEC command to view the local switch configuration. Look for the following commands:
aaa new-model
aaa authentication login default tacacs+ enable
[...]
tacacs-server host name
tacacs-server key key
 

where name is the IP address or DNS1 host name of the TACACS+ server and key is the authentication and encryption key.

Step 2. If all of these commands are not present, add the missing commands to the configuration. If there is no key configured on the TACACS+ daemon, the tacacs-server key command is not necessary.

aaa authorization command is present

 Step 1. Use the show running-config privileged EXEC command to view the local switch configuration. Look for an aaa authorization exec tacacs+ global configuration command entry.

Step 2. If the command is present, remove it from the configuration using the no version of the command.

PPP2 not functioning correctly

If PPP is not functioning properly, problems will occur when using TACACS+. Use the debug ppp negotiation privileged EXEC command to see if both sides are communicating.

For information on configuring PPP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Configuration Fundamentals Command Reference publications.

PAP3 is misconfigured

 Step 1. Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command:
aaa authentication ppp default if-needed tacacs+
 

Step 2. If the command is not present, add it to the configuration.

Step 3. In addition, check the configuration of the async interface being used. The interface must have the following commands configured:

encapsulation ppp
ppp authentication pap
 

Step 4. If these commands are not present, add them to the interface configuration.

CHAP4 is misconfigured

 Step 1. Use the show running-config privileged EXEC command to make sure your configuration includes the following global configuration command:
aaa authentication ppp default if-needed tacacs+
 

Step 2. If the command is not present, add it to the configuration.

Step 3. In addition, check the configuration of the async interface being used. The interface must have the following commands configured:

encapsulation ppp
ppp authentication chap
 

Step 4. If these commands are not present, add them to the interface configuration.

Step 5. Make sure your daemon configuration file, located in the tac_plus.2.1 directory, includes one of the following lines, as appropriate:

chap = cleartext password
 

or

global = cleartext password

Username and password are not in the /etc/passwd file

 Step 1. Check to make sure that the appropriate username and password pairs are contained in the /etc/passwd file.

Step 2. If the appropriate users are not specified, generate a new user with the correct username and password using the add user command.

There is no TCP connection to the TACACS+ daemon

 Step 1. From the switch, try to connect to port 49 using Telnet on the TACACS+ daemon.

Step 2. If using Telnet is unsuccessful, make sure the daemon is running. For more information, refer to the section "Daemon Is Not Up and Running" earlier in this chapter.

Step 3. If the daemon is running but the Telnet connection times out, check the IP connectivity.
1DNS = Domain Naming System

2PPP = Point-to-Point Protocol

3PAP = Password Authentication Protocol

4Chap = Challenge Handshake Authentication Protocol

Recovering a Lost Password

This section describes the procedure to recover a lost login or to enable a password. The procedure differs depending on the platform and the software used, but in all cases, password recovery requires that the switch be taken out of operation and powered down.

If you need to perform the following procedure, make certain that there are secondary systems that can temporarily serve the functions of the switch undergoing the procedure. If this is not possible, advise all potential users and, if possible, perform the procedure during low-use hours.

Note      Make a note of your password, and store it in a secure place.

All of the procedures for recovering lost passwords depend on changing the configuration register of the switch. This is done by reconfiguring the switch software.

More recent Cisco platforms run from Flash memory or are netbooted from a network server and can ignore the contents of nonvolitile random-access memory (NVRAM) when booting. By ignoring the contents of NVRAM, you can bypass the configuration file (which contains the passwords) and gain complete access to the switch. You can then recover the lost password or configure a new one.

Note      If your password is encrypted, you cannot recover it. You must configure a new password.

Figure 8-1 is a flow chart of the password recovery procedure.


Figure 8-1   Password Recovery


Note      To complete this procedure, you must have a terminal or a personal computer (running terminal emulation software) connected to the console port of the switch. In addition, make sure you know the break command key sequence.

Following is the password-recovery procedure:

Step 1   Power the switch off and back on.

Step 2   Use the break key sequence for your terminal or terminal emulation software within 60 seconds of turning on the power.

The ROM monitor (>) prompt will appear.

Step 3   Enter the command, e/s 2000002. This command examines the short (16-bit) memory location for the software configuration register.

Record the output resulting from this command. This output is the software configuration register value.

Step 4   Enter q (quit) to return to the ROM monitor (>) prompt.

Step 5   Enter the o/r 0x42 command. The value 42 sets the software configuration register bit to position 6, which allows the switch to ignore the contents of NVRAM when booting. (Be sure to enter 0x followed by the configuration register value.)

Step 6   Enter i (initialize) at the ROM monitor (>) prompt. The switch reboots.

Step 7   Answer no to all of the Setup questions.

Step 8   Enter the enable EXEC command at the Switch> prompt.

Step 9   Enter the show startup-config or show configuration privileged EXEC command to see if your password is cleartext (is not encrypted) or if it is encrypted.

Step 10   If your password is cleartext, proceed to Step 14.

or

If your password is encrypted, continue with Step 11.

Step 11   If your password is encrypted, enter the configure memory privileged EXEC command. This transfers the stored configuration into running memory.

Step 12   Enter the configure terminal privileged EXEC command to enter switch configuration mode.

Step 13   If you lost the enabled password, use the enable-password global configuration command to configure a new password and press ^Z to exit configuration mode.

If you lost the login password, configure the console line using the login and password line configuration commands. Enter ^Z to exit configuration mode and proceed to Step 15.

Step 14   If you lost the enabled password, locate the enable-password global configuration command entry in the configuration and record the password.

If you lost the login password, find the configuration entries for the console line and record the password indicated by the password line configuration command.

Step 15   Use the copy running-config startup-config or write memory privileged EXEC command to write the configuration into running memory.

Caution Issuing the copy running-config startup-config or write memory command at this point will overwrite the configuration. Make certain you have a backup of your configuration file.

Step 16   The switch is now fully functional, and you can use your recovered or reconfigured passwords as usual.

Note Restore the software configuration register to its original value as soon as possible. If it is not returned to the value you noted in Step 3, the switch will always ignore the contents of NVRAM and enter the Setup routine upon booting. Continue with Step 17 to return the software configuration register to its original value.

Step 17   In privileged EXEC mode, enter switch configuration mode using the configure terminal privileged EXEC command.

Step 18   Change the software configuration register to its original value using the config-register global configuration command. Enter 0x and then the software configuration register value that you recorded in Step 3. Using the example value of 2102, the command would be config-register 0x2102.

Step 19   Exit from switch configuration mode by entering ^Z.

The next time the switch is power cycled or restarted with the reload privileged EXEC command, the bootup process will proceed as normal. Use your new or recovered password to gain access to the switch after it reboots.