Re: HELP - I locked myself after enabling aaa new-model ...

From: paul cosgrove (paul.cosgrove@heanet.ie)
Date: Sun Sep 14 2008 - 12:32:17 ART

• Next message: Radioactive Frog: "Re: where is d*ar*by?"
• Previous message: Huan Pham: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian's config looks fine (as you would expect). Upgrade the IOS, or
create a local username/password and have your VTYs use that instead of
the line password.

Even after you have removed the "login authentication" command you
should still be able to telnet. The switch should use the default
method (local - unless you have changed that for dot1x), though you will
obviously not be able to login unless you defined a username/password.
If this does not work then you have another incentive to upgrade.

Paul.

Huan Pham wrote:
> Thanks,
>
> I still have access to the routers, switches via console. I am only unable to telnet to it. So I do not need to do password recovery.
>
> I am just asking the proper way to enable AAA, (so that I can do DOT1X Authentication on a switch).
>
> Regards,
>
>
> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>
>
>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>> To: "Huan Pham" <pnhuan@yahoo.com>
>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>> Date: Sunday, September 14, 2008, 10:56 PM
>> Huan
>> You can always try 'Breaking' the password on any
>> Cisco box, check out the
>> Configuration Guide for more details.
>>
>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
>> <pnhuan@yahoo.com> wrote:
>>
>>
>>> .... using Brian Dennis's COD recommended approach
>>>
>> and configuration ;-)
>>
>>> Here's the config.
>>>
>>> aaa new-model
>>> aaa authentication login VTY_LINE line
>>> line vty 0 15
>>> password cisco
>>> login authentication VTY_LINE
>>>
>>>
>>> I tried this config on both 3560 and 3550, ending up
>>>
>> with the same problem
>>
>>> as described above.
>>>
>>> I applied the same config on a 3640 router, it worked
>>>
>> the way I expected,
>>
>>> i.e. I was able to log on using a password (without
>>>
>> username). If I removed
>>
>>> the vty command "login authentication
>>>
>> VTY_LINE", I was unable to telnet to
>>
>>> the router, also as I expected.
>>>
>>> Maybe the IOS version I used for my switches has a
>>>
>> bug, or I am missing
>>
>>> something basic here. Help appreciated.
>>>
>>>
>>> Huan
>>>
>>>
>>>
>>>
>>> RSRack1SW3#sh ver | in IOS
>>> Cisco IOS Software, C3550 Software
>>>
>> (C3550-IPSERVICESK9-M), Version
>>
>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>
>>> RSRack1SW2#sh ver | in IOS
>>> Cisco IOS Software, C3560 Software
>>>
>> (C3560-ADVIPSERVICESK9-M), Version
>>
>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>
>>> RSRack1SW2#sh run | in aaa
>>> aaa new-model
>>> aaa authentication login VTY_LINE line
>>> aaa session-id common
>>>
>>> RSRack1SW2#sh run | b line vty
>>> line vty 0 4
>>> password cisco
>>> login authentication VTY_LINE
>>> line vty 5 15
>>> password cisco
>>> login authentication VTY_LINE
>>> !
>>> end
>>>
>>> RSRack1SW2#sh ip int brief | in Loop
>>> Loopback0 150.1.8.8 YES NVRAM up
>>>
>> up
>>
>>> RSRack1SW2#telnet 150.1.8.8
>>> Trying 150.1.8.8 ... Open
>>>
>>>
>>> ! -_- NO LOGIN PROMPT -_-
>>>
>>>
>>>
>>>
>>>
>>>
>>> RSRack1R3#c
>>> Enter configuration commands, one per line. End with
>>>
>> CNTL/Z.
>>
>>> RSRack1R3(config)#aaa new-model
>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>
>> line
>>
>>> RSRack1R3(config)#line vty 0 15
>>> RSRack1R3(config-line)# password cisco
>>> RSRack1R3(config-line)# login authentication VTY_LINE
>>> RSRack1R3(config-line)#
>>> RSRack1R3(config-line)#
>>> RSRack1R3#t
>>> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
>>>
>> console by console
>>
>>> RSRack1R3#telnet 150.1.3.3
>>> Trying 150.1.3.3 ... Open
>>>
>>>
>>> User Access Verification
>>>
>>> Password:
>>>
>>> RSRack1R3#sh ver | in IOS
>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>
>> Version 12.4(5a),
>>
>>> RELEASE SOFTWARE (fc3)
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>>
>>>
>> _______________________________________________________________________
>>
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Radioactive Frog: "Re: where is d*ar*by?"
• Previous message: Huan Pham: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART