[c-nsp] debug to see what IP is trying to log in via telnet
Alexander Clouter
alex at digriz.org.uk
Wed Feb 23 18:10:54 EST 2011
Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>> This seems to come back with the info in the log:
>> login on-failure log
>>
>> sh log shows this:
>> Feb 23 15:39:53.667: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: X.X.X.X] [localport: 23] [Reason: Login Authentication Failed] at 15:39:53 EST Wed Feb 23 2011
>
> oh, if only all devices had that option :-)
>
> works fine on 6500's but no show on 29xx it seems. oh well, I'm going to sniff a trunk
> link tomorrow
>
...or with 'aaa-model' use something like:
----
aaa authentication login ssh local group login
aaa group server radius login
server 1.2.3.4 auth-port 1645 acct-port 1646
ip radius source-interface Loopback0
radius-server host 1.2.3.4 auth-port 1645 acct-port 1646 .....
----
Then your local user accounts are tried first and all the remaining guff
goes to a RADIUS server. That is assuming something is not clobbering
the local account and trying for random things.
This is what we do for our switches. Typically we log in as ourselves
(rancid also has a local login), but we always have the "eek RADIUS is
dead and we need to log into the switch to fix RADIUS networking stuff"
account too.
Cheers
--
Alexander Clouter
.sigmonster says: Bigamy is having one spouse too many. Monogamy is the same.
More information about the cisco-nsp
mailing list