C-18
Troubleshooting
Unusual Network Activity
memory to save the authentication configuration to flash, then
pressing the Reset button or cycling the power reboots the switch
with the boot-up configuration.
■ Disconnect the switch from network access to any TACACS+ servers
and then log in to the switch using either Telnet or direct console port
access. Because the switch cannot access a TACACS+ server, it will
default to local authentication. You can then use the switch’s local
Operator or Manager username/password pair to log on.
■ As a last resort, use the Clear/Reset button combination to reset the
switch to its factory default boot-up configuration. Taking this step
means you will have to reconfigure the switch to return it to operation
in your network.
No Communication Between the Switch and the TACACS+ Server
Application. If the switch can access the server device (that is, it can ping
the server), then a configuration error may be the problem. Some possibilities
include:
■ The server IP address configured with the switch’s tacacs-server host
command may not be correct. (Use the switch’s show tacacs-server
command to list the TACACS+ server IP address.)
■ The encryption key configured in the server does not match the
encryption key configured in the switch (by using the tacacs-server
key command). Verify the key in the server and compare it to the key
configured in the switch. (Use show tacacs-server to list the global key.
Use show config or show config running to list any server-specific keys.)
■ The accessible TACACS+ servers are not configured to provide
service to the switch.
Access Is Denied Even Though the Username/Password Pair Is
Correct. Some reasons for denial include the following parameters
controlled by your TACACS+ server application:
■ The account has expired.
■ The access attempt is through a port that is not allowed for the
account.
■ The time quota for the account has been exhausted.
■ The time credit for the account has expired.