RE: Cisco 3560 switch has a ghost in it...keeps trying to auth

Nothing plugged into the console port that might be shorted out?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Brad
Ellis
Sent: Thursday, October 07, 2010 3:52 PM
To: Cisco certification
Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth to an
ACS server

Crazy stuff...but I thought this would make an interesting problem for
people to think about.

Every 60 seconds or so:

Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1 Oct
7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1 Oct 7 22:53:21.317:
AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
adapter=0 port=0 channel=0
Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8) user='NULL'
ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Oct 7 22:53:21.317:
AAA/AUTHEN/START (1037375110): port='tty0' list=''
action=LOGIN service=LOGIN
Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default" list Oct
7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
(tacacs+)
Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
id=1037375110
Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received AUTHEN status =
GETUSER Oct 7 22:53:21.569: AAA/AUTHEN (1037375110): status = GETUSER Oct
7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
(user='(undef)')
Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN status = GETUSER
Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
(user='')
Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN status = GETPASS
Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS Oct 7
22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
(user='x~xxxx')
Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS Oct 7
22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN status = FAIL Oct
7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL Oct 7 22:53:32.818:
AAA/AUTHEN/ABORT: (1037375110) because Login timed out.
Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out

I havent figured this one out yet.

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 07 2010 - 16:17:48 ART