Re: Cisco 3560 switch has a ghost in it...keeps trying to auth

That would be "no exec" then...
You mean that whatever is playing the terminal server role to get to the
3560 console is also trying to authenticate someone connected to this
line, and so it is "fighting" with the 3560:

3560: Username: ?
TS: (received Username:) Password: ?
3560: (received Password:) Password: ?
TS: Password incorrect! Username: ?
...

-Carlos

Tyson Scott @ 8/10/2010 0:22 -0300 dixit:
> On the console device connected the switches make sure there is "no exec",
> "stopbits 1", "modem InOut", and "flowcontrol hardware".
>
> I don't remember exactly which one fixes this issue.
>
> But essentially the terminal is sending characters to the 3560 that is
> causing the 3560 to authenticate the session.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Brad
> Ellis
> Sent: Thursday, October 07, 2010 7:54 PM
> To: Travis Niedens; Cisco certification
> Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth to
> an ACS server
>
> Yeah, bounced her already. I'm guessing there's something plugged into
> the con port as well...we'll have to see. :)
>
> thanks,
> Brad Ellis
> CCIE#5796 (R&S / Security)
> CCSI# 30482
> CEO / President
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: brad_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> -----Original Message-----
> From: Travis Niedens [mailto:niedentj_at_hotmail.com]
> Sent: Thursday, October 07, 2010 4:49 PM
> To: Brad Ellis; 'Cisco certification'
> Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
> to an ACS server
>
> Unplug the cable? Reload ? Perhaps solar flares ? :) No tracebacks
> either?
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Brad Ellis
> Sent: Thursday, October 07, 2010 4:33 PM
> To: Travis Niedens; Cisco certification
> Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
> to an ACS server
>
> It's actually happening on two 3560s, and only those... console port
> looks
> okay:
>
> (from one of them)
>
> C3560G-24PS #sh line con 0
> Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
> Int
> 0 CTY - - - - - 0 154 0/0
> -
>
> Line 0, Location: "", Type: ""
> Length: 24 lines, Width: 80 columns
> Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
> Status: Ready, 0x40000
> Capabilities: none
> Modem state: Ready
> Special Chars: Escape Hold Stop Start Disconnect Activation
> ^^x none - - none
> Timeouts: Idle EXEC Idle Session Modem Answer Session
> Dispatch
> never never none not
> set
> Idle Session Disconnect Warning
> never
> Login-sequence User Response
> 00:00:30
> Autoselect Initial Wait
> not set
> Modem type is unknown.
> Session limit is not set.
> Time since activation: never
> Editing is enabled.
> History is enabled, history size is 10.
> DNS resolution in show commands is enabled Full user help is disabled
> Allowed input transports are none.
> Allowed output transports are telnet.
> Preferred transport is telnet.
> No output characters are padded
> No special data dispatching characters
>
> It's happening on two out of 80 something switches...very weird.
>
> Both devices have the same config as about 100 other 3560s...the mystery
> continues! :)
>
> thanks,
> Brad Ellis
> CCIE#5796 (R&S / Security)
> CCSI# 30482
> CEO / President
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: brad_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> -----Original Message-----
> From: Travis Niedens [mailto:niedentj_at_hotmail.com]
> Sent: Thursday, October 07, 2010 4:18 PM
> To: Brad Ellis; 'Cisco certification'
> Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
> to an ACS server
>
> Nothing plugged into the console port that might be shorted out?
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Brad Ellis
> Sent: Thursday, October 07, 2010 3:52 PM
> To: Cisco certification
> Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth to
> an ACS server
>
> Crazy stuff...but I thought this would make an interesting problem for
> people to think about.
>
> Every 60 seconds or so:
>
> Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
> ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
> Oct
> 7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1 Oct 7
> 22:53:21.317:
> AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0
> channel=0 Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8)
> user='NULL'
> ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
> service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Oct 7
> 22:53:21.317:
> AAA/AUTHEN/START (1037375110): port='tty0' list=''
> action=LOGIN service=LOGIN
> Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default" list
> Oct
> 7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
> (tacacs+)
> Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
> id=1037375110 Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received
> AUTHEN status = GETUSER Oct 7 22:53:21.569: AAA/AUTHEN (1037375110):
> status = GETUSER Oct
> 7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='(undef)')
> Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
> 22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
> 22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
> 22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN status =
> GETUSER Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER
> Oct 7
> 22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='')
> Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
> 22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
> 22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
> 22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN status =
> GETPASS Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS
> Oct 7
> 22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='x~xxxx')
> Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS Oct 7
> 22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
> 22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
> 22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN status = FAIL
> Oct
> 7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL Oct 7
> 22:53:32.818:
> AAA/AUTHEN/ABORT: (1037375110) because Login timed out.
> Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out
>
> I havent figured this one out yet.
>
> thanks,
> Brad Ellis
> CCIE#5796 (R&S / Security)
> CCSI# 30482
> CEO / President
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: brad_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net