2511 Access Server Reverse Telnet Authentication Issue

iproute

Greetings folks. Hope things have been going well. I've been out of the certification game for a little while (due to purchase of a house, marriage, new job, etc. etc.). I'm getting ready to restart CCNP though, oh joy

I'm seeing a very strange issue that I was hoping one of you guru's could perhaps shed some light on. First though, some back story.

I remembered that folks on this forum like to use the 2509/2511 for console access to their devices so I talked to my coworker about putting one in our data center with a dial up line for out of band access to our devices. Next thing I know, he comes back with a 2511, unearthed from the "pile" and I've been setting it up for the scenario described above.

We've not got our POTS line installed yet, but mostly everything else is done. I can reverse telnet from the 2511 to all of the attached devices. The problem I'm seeing though is that my username/password is failing. I can log on when directly connected to the devices in question via console cable, my coworker can log on via reverse telnet from the 2511 and console cable.

Needless to say, this implementation is of little use to me if I can't log on

There is one solitary device of about 10 that I can log on to and it's a 2600 router with apparently the same console line configs as the other devices. The other inaccessible devices consist of blade center Cisco switches, ASA 5550s, Cat 4948s, F5s, and 2960Gs.

I've tried changing my password to something very uncomplex (I thought maybe the term server wasn't passing certain characters) to no avail.

Here's the config on the access server:

ACCESS_SERVER#sh run
Building configuration...

Current configuration : 5009 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ACCESS_SERVER
!
boot-start-marker
boot system flash:/c2500-i-l.123-26.bin
boot-end-marker
!
enable secret 5 XXXXX
!
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip domain lookup
ip domain name XXXXX
ip host XXXXX 2009 XXXXX
ip host XXXXX 2010 XXXXX
ip host XXXXX 2011 XXXXX
ip host XXXXX 2006 XXXXX
ip host XXXXX 2001 XXXXX
ip host XXXXX 2002 XXXXX
ip host XXXXX 2003 XXXXX
ip host XXXXX 2004 XXXXX
ip host XXXXX 2005 XXXXX
ip host XXXXX 2007 XXXXX
ip host XXXXX 2008 XXXXX
!
!
interface Ethernet0
 ip address XXXXX 255.255.255.0
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 no ip address
 shutdown
!
ip default-gateway XXXXX
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 XXXXX
!
!
snmp-server community XXXXXRO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps syslog
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps config-copy
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps rtr
banner motd ^C
XXXXX
^C
!
line con 0
 exec-timeout 20 0
 password 7 XXXXX
 stopbits 1
line 1 5
 session-timeout 30 
 no flush-at-activation
 no exec
 transport input telnet
 transport output telnet
line 6
 session-timeout 30 
 no flush-at-activation
 no exec
 transport input telnet
 transport output telnet
 speed 38400
line 7 16
 session-timeout 30 
 no flush-at-activation
 no exec
 transport input telnet
 transport output telnet
line aux 0
 password 7 XXXXX
 modem InOut
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 transport input telnet
!
ntp clock-period 17179969
ntp server XXXXX
end

Thoughts? Thanks in advance.

iproute

Might help if I input some of the configs for the devices being accessed as well.

Device that I can't access (Cat2960G):

line con 0
 exec-timeout 30 0
 password 7 XXXXX
 stopbits 1
aaa new-model
aaa authentication login default local
aaa authorization exec default local 
aaa session-id common

Device that I can access (2620):

line con 0
 exec-timeout 30 0
 password 7 XXXXX
 stopbits 1
 speed 38400
aaa new-model
aaa authentication login default local
aaa authorization exec default local

iproute

So I've tried several different passwords. Some appear to work, some do not. This seems very irregular.

I set my password to password_a on one of the previously inaccessible devices and it does not work. I set it to password_b and it allows me to log in.

My show line looks like this. Maybe something's not being transmitted due to the noise?

TERM_RTR#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
     0 CTY              -    -      -    -    -      3       0     0/0       -
     1 TTY   9600/9600  -    -      -    -    -     10     123     3/9       -
     2 TTY   9600/9600  -    -      -    -    -     23  440993 10331/17224   -
     3 TTY   9600/9600  -    -      -    -    -      6  162738  5052/10516   -
     4 TTY   9600/9600  -    -      -    -    -      4     227     2/6       -
     5 TTY   9600/9600  -    -      -    -    -      3     181     2/6       -
     6 TTY  38400/38400 -    -      -    -    -      9      54     0/0       -
     7 TTY   9600/9600  -    -      -    -    -      3      63     0/0       -
     8 TTY   9600/9600  -    -      -    -    -      3       0     0/0       -
     9 TTY   9600/9600  -    -      -    -    -      3      79     2/6       -
    10 TTY   9600/9600  -    -      -    -    -      2      19     0/0       -
    11 TTY   9600/9600  -    -      -    -    -      3   13461   395/791     -
    12 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -
    13 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -
    14 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -
    15 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -
    16 TTY   9600/9600  -    -      -    -    -      0       0     0/0       -
    17 AUX  38400/38400 - inout     -    -    -      0       0     0/0       -
*   18 VTY              -    -      -    -    -     52       0     0/0       -
    19 VTY              -    -      -    -    -     31       0     0/0       -
    20 VTY              -    -      -    -    -      0       0     0/0       -
    21 VTY              -    -      -    -    -      0       0     0/0       -
    22 VTY              -    -      -    -    -      0       0     0/0       -

iproute

Ok. For all you guys out there scratching your head, here was the cause and solution.

I had a different passwords on the 2 devices in question (the access server and the device I was trying to access). I knew that.

However, I was entering the wrong password when being prompted. I should have been entering the access server password, but I was entering the other device's password.

The reason it worked for my coworker is because he had same pw on both devices.

So... some serious user error here. Sorry for wasting the time of those who read it. I officially feel like an idiot

efxz

Hello. I have the same access server as yours. Which radius/tacacs+ client are you using for authentication/authorization?

Looks like in this forum there is no private message function?...