Re: HELP - I locked myself after enabling aaa new-model ...

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sun Sep 14 2008 - 13:17:02 ART

Just do a debug on the following and see what exactly is going wrong:

debug aaa authen
debug aaa author
debug tacacs|radius

Regards

Farrukh

On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove <paul.cosgrove@heanet.ie>wrote:

> Brian's config looks fine (as you would expect). Upgrade the IOS, or
> create a local username/password and have your VTYs use that instead of the
> line password.
>
> Even after you have removed the "login authentication" command you should
> still be able to telnet. The switch should use the default method (local -
> unless you have changed that for dot1x), though you will obviously not be
> able to login unless you defined a username/password. If this does not
> work then you have another incentive to upgrade.
>
> Paul.
>
>
> Huan Pham wrote:
>
>> Thanks,
>>
>> I still have access to the routers, switches via console. I am only unable
>> to telnet to it. So I do not need to do password recovery.
>> I am just asking the proper way to enable AAA, (so that I can do DOT1X
>> Authentication on a switch).
>>
>> Regards,
>>
>>
>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>
>>
>>
>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>> Date: Sunday, September 14, 2008, 10:56 PM
>>> Huan
>>> You can always try 'Breaking' the password on any
>>> Cisco box, check out the
>>> Configuration Guide for more details.
>>>
>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
>>> <pnhuan@yahoo.com> wrote:
>>>
>>>
>>>
>>>> .... using Brian Dennis's COD recommended approach
>>>>
>>>>
>>> and configuration ;-)
>>>
>>>
>>>> Here's the config.
>>>>
>>>> aaa new-model
>>>> aaa authentication login VTY_LINE line
>>>> line vty 0 15
>>>> password cisco
>>>> login authentication VTY_LINE
>>>>
>>>>
>>>> I tried this config on both 3560 and 3550, ending up
>>>>
>>>>
>>> with the same problem
>>>
>>>
>>>> as described above.
>>>>
>>>> I applied the same config on a 3640 router, it worked
>>>>
>>>>
>>> the way I expected,
>>>
>>>
>>>> i.e. I was able to log on using a password (without
>>>>
>>>>
>>> username). If I removed
>>>
>>>
>>>> the vty command "login authentication
>>>>
>>>>
>>> VTY_LINE", I was unable to telnet to
>>>
>>>
>>>> the router, also as I expected.
>>>>
>>>> Maybe the IOS version I used for my switches has a
>>>>
>>>>
>>> bug, or I am missing
>>>
>>>
>>>> something basic here. Help appreciated.
>>>>
>>>>
>>>> Huan
>>>>
>>>>
>>>>
>>>>
>>>> RSRack1SW3#sh ver | in IOS
>>>> Cisco IOS Software, C3550 Software
>>>>
>>>>
>>> (C3550-IPSERVICESK9-M), Version
>>>
>>>
>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>
>>>> RSRack1SW2#sh ver | in IOS
>>>> Cisco IOS Software, C3560 Software
>>>>
>>>>
>>> (C3560-ADVIPSERVICESK9-M), Version
>>>
>>>
>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>
>>>> RSRack1SW2#sh run | in aaa
>>>> aaa new-model
>>>> aaa authentication login VTY_LINE line
>>>> aaa session-id common
>>>>
>>>> RSRack1SW2#sh run | b line vty
>>>> line vty 0 4
>>>> password cisco
>>>> login authentication VTY_LINE
>>>> line vty 5 15
>>>> password cisco
>>>> login authentication VTY_LINE
>>>> !
>>>> end
>>>>
>>>> RSRack1SW2#sh ip int brief | in Loop
>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>
>>> up
>>>
>>>
>>>> RSRack1SW2#telnet 150.1.8.8
>>>> Trying 150.1.8.8 ... Open
>>>>
>>>>
>>>> ! -_- NO LOGIN PROMPT -_-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> RSRack1R3#c
>>>> Enter configuration commands, one per line. End with
>>>>
>>>>
>>> CNTL/Z.
>>>
>>>
>>>> RSRack1R3(config)#aaa new-model
>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>
>>>>
>>> line
>>>
>>>
>>>> RSRack1R3(config)#line vty 0 15
>>>> RSRack1R3(config-line)# password cisco
>>>> RSRack1R3(config-line)# login authentication VTY_LINE
>>>> RSRack1R3(config-line)#
>>>> RSRack1R3(config-line)#
>>>> RSRack1R3#t
>>>> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
>>>>
>>>>
>>> console by console
>>>
>>>
>>>> RSRack1R3#telnet 150.1.3.3
>>>> Trying 150.1.3.3 ... Open
>>>>
>>>>
>>>> User Access Verification
>>>>
>>>> Password:
>>>>
>>>> RSRack1R3#sh ver | in IOS
>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>
>>>>
>>> Version 12.4(5a),
>>>
>>>
>>>> RELEASE SOFTWARE (fc3)
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>>
>>>>
>>>>
>>> _______________________________________________________________________
>>>
>>>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART