Re: HELP - I locked myself after enabling aaa new-model ...

From: Huan Pham (pnhuan@yahoo.com)
Date: Sun Sep 14 2008 - 10:14:22 ART

Thanks,

I still have access to the routers, switches via console. I am only unable to telnet to it. So I do not need to do password recovery.

I am just asking the proper way to enable AAA, (so that I can do DOT1X Authentication on a switch).

Regards,

--- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:

> From: Huzefa <ratlamwala.huzefa@gmail.com>
> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
> To: "Huan Pham" <pnhuan@yahoo.com>
> Cc: "CCIE Lab" <ccielab@groupstudy.com>
> Date: Sunday, September 14, 2008, 10:56 PM
> Huan
> You can always try 'Breaking' the password on any
> Cisco box, check out the
> Configuration Guide for more details.
>
> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
> <pnhuan@yahoo.com> wrote:
>
> > .... using Brian Dennis's COD recommended approach
> and configuration ;-)
> >
> >
> > Here's the config.
> >
> > aaa new-model
> > aaa authentication login VTY_LINE line
> > line vty 0 15
> > password cisco
> > login authentication VTY_LINE
> >
> >
> > I tried this config on both 3560 and 3550, ending up
> with the same problem
> > as described above.
> >
> > I applied the same config on a 3640 router, it worked
> the way I expected,
> > i.e. I was able to log on using a password (without
> username). If I removed
> > the vty command "login authentication
> VTY_LINE", I was unable to telnet to
> > the router, also as I expected.
> >
> > Maybe the IOS version I used for my switches has a
> bug, or I am missing
> > something basic here. Help appreciated.
> >
> >
> > Huan
> >
> >
> >
> >
> > RSRack1SW3#sh ver | in IOS
> > Cisco IOS Software, C3550 Software
> (C3550-IPSERVICESK9-M), Version
> > 12.2(44)SE, RELEASE SOFTWARE (fc1)
> >
> > RSRack1SW2#sh ver | in IOS
> > Cisco IOS Software, C3560 Software
> (C3560-ADVIPSERVICESK9-M), Version
> > 12.2(44)SE, RELEASE SOFTWARE (fc1)
> >
> > RSRack1SW2#sh run | in aaa
> > aaa new-model
> > aaa authentication login VTY_LINE line
> > aaa session-id common
> >
> > RSRack1SW2#sh run | b line vty
> > line vty 0 4
> > password cisco
> > login authentication VTY_LINE
> > line vty 5 15
> > password cisco
> > login authentication VTY_LINE
> > !
> > end
> >
> > RSRack1SW2#sh ip int brief | in Loop
> > Loopback0 150.1.8.8 YES NVRAM up
> up
> > RSRack1SW2#telnet 150.1.8.8
> > Trying 150.1.8.8 ... Open
> >
> >
> > ! -_- NO LOGIN PROMPT -_-
> >
> >
> >
> >
> >
> >
> > RSRack1R3#c
> > Enter configuration commands, one per line. End with
> CNTL/Z.
> > RSRack1R3(config)#aaa new-model
> > RSRack1R3(config)#aaa authentication login VTY_LINE
> line
> > RSRack1R3(config)#line vty 0 15
> > RSRack1R3(config-line)# password cisco
> > RSRack1R3(config-line)# login authentication VTY_LINE
> > RSRack1R3(config-line)#
> > RSRack1R3(config-line)#
> > RSRack1R3#t
> > *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
> console by console
> > RSRack1R3#telnet 150.1.3.3
> > Trying 150.1.3.3 ... Open
> >
> >
> > User Access Verification
> >
> > Password:
> >
> > RSRack1R3#sh ver | in IOS
> > Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
> Version 12.4(5a),
> > RELEASE SOFTWARE (fc3)
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART