Re: HELP - I locked myself after enabling aaa new-model ...

From: paul cosgrove (paul.cosgrove@heanet.ie)
Date: Sun Sep 14 2008 - 14:38:54 ART

• Next message: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Previous message: Moazzam Daimi: "Invitation to join Cisco CCIE"
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Farrukh,

Huan included command output at the end of his email showing that the
switch does not display a command prompt when he telnets to it. Only
authentication has been configured and he is unable to enter
authentication details without a command prompt, so the debugs may not
show much in this case.

Paul.

Farrukh Haroon wrote:
> Just do a debug on the following and see what exactly is going wrong:
>
> debug aaa authen
> debug aaa author
> debug tacacs|radius
>
> Regards
>
> Farrukh
>
> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove <paul.cosgrove@heanet.ie>wrote:
>
>
>> Brian's config looks fine (as you would expect). Upgrade the IOS, or
>> create a local username/password and have your VTYs use that instead of the
>> line password.
>>
>> Even after you have removed the "login authentication" command you should
>> still be able to telnet. The switch should use the default method (local -
>> unless you have changed that for dot1x), though you will obviously not be
>> able to login unless you defined a username/password. If this does not
>> work then you have another incentive to upgrade.
>>
>> Paul.
>>
>>
>> Huan Pham wrote:
>>
>>
>>> Thanks,
>>>
>>> I still have access to the routers, switches via console. I am only unable
>>> to telnet to it. So I do not need to do password recovery.
>>> I am just asking the proper way to enable AAA, (so that I can do DOT1X
>>> Authentication on a switch).
>>>
>>> Regards,
>>>
>>>
>>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>>
>>>
>>>
>>>
>>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>>> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>>> Date: Sunday, September 14, 2008, 10:56 PM
>>>> Huan
>>>> You can always try 'Breaking' the password on any
>>>> Cisco box, check out the
>>>> Configuration Guide for more details.
>>>>
>>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
>>>> <pnhuan@yahoo.com> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> .... using Brian Dennis's COD recommended approach
>>>>>
>>>>>
>>>>>
>>>> and configuration ;-)
>>>>
>>>>
>>>>
>>>>> Here's the config.
>>>>>
>>>>> aaa new-model
>>>>> aaa authentication login VTY_LINE line
>>>>> line vty 0 15
>>>>> password cisco
>>>>> login authentication VTY_LINE
>>>>>
>>>>>
>>>>> I tried this config on both 3560 and 3550, ending up
>>>>>
>>>>>
>>>>>
>>>> with the same problem
>>>>
>>>>
>>>>
>>>>> as described above.
>>>>>
>>>>> I applied the same config on a 3640 router, it worked
>>>>>
>>>>>
>>>>>
>>>> the way I expected,
>>>>
>>>>
>>>>
>>>>> i.e. I was able to log on using a password (without
>>>>>
>>>>>
>>>>>
>>>> username). If I removed
>>>>
>>>>
>>>>
>>>>> the vty command "login authentication
>>>>>
>>>>>
>>>>>
>>>> VTY_LINE", I was unable to telnet to
>>>>
>>>>
>>>>
>>>>> the router, also as I expected.
>>>>>
>>>>> Maybe the IOS version I used for my switches has a
>>>>>
>>>>>
>>>>>
>>>> bug, or I am missing
>>>>
>>>>
>>>>
>>>>> something basic here. Help appreciated.
>>>>>
>>>>>
>>>>> Huan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> RSRack1SW3#sh ver | in IOS
>>>>> Cisco IOS Software, C3550 Software
>>>>>
>>>>>
>>>>>
>>>> (C3550-IPSERVICESK9-M), Version
>>>>
>>>>
>>>>
>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>
>>>>> RSRack1SW2#sh ver | in IOS
>>>>> Cisco IOS Software, C3560 Software
>>>>>
>>>>>
>>>>>
>>>> (C3560-ADVIPSERVICESK9-M), Version
>>>>
>>>>
>>>>
>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>
>>>>> RSRack1SW2#sh run | in aaa
>>>>> aaa new-model
>>>>> aaa authentication login VTY_LINE line
>>>>> aaa session-id common
>>>>>
>>>>> RSRack1SW2#sh run | b line vty
>>>>> line vty 0 4
>>>>> password cisco
>>>>> login authentication VTY_LINE
>>>>> line vty 5 15
>>>>> password cisco
>>>>> login authentication VTY_LINE
>>>>> !
>>>>> end
>>>>>
>>>>> RSRack1SW2#sh ip int brief | in Loop
>>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>>
>>>>>
>>>> up
>>>>
>>>>
>>>>
>>>>> RSRack1SW2#telnet 150.1.8.8
>>>>> Trying 150.1.8.8 ... Open
>>>>>
>>>>>
>>>>> ! -_- NO LOGIN PROMPT -_-
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> RSRack1R3#c
>>>>> Enter configuration commands, one per line. End with
>>>>>
>>>>>
>>>>>
>>>> CNTL/Z.
>>>>
>>>>
>>>>
>>>>> RSRack1R3(config)#aaa new-model
>>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>>
>>>>>
>>>>>
>>>> line
>>>>
>>>>
>>>>
>>>>> RSRack1R3(config)#line vty 0 15
>>>>> RSRack1R3(config-line)# password cisco
>>>>> RSRack1R3(config-line)# login authentication VTY_LINE
>>>>> RSRack1R3(config-line)#
>>>>> RSRack1R3(config-line)#
>>>>> RSRack1R3#t
>>>>> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
>>>>>
>>>>>
>>>>>
>>>> console by console
>>>>
>>>>
>>>>
>>>>> RSRack1R3#telnet 150.1.3.3
>>>>> Trying 150.1.3.3 ... Open
>>>>>
>>>>>
>>>>> User Access Verification
>>>>>
>>>>> Password:
>>>>>
>>>>> RSRack1R3#sh ver | in IOS
>>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>>
>>>>>
>>>>>
>>>> Version 12.4(5a),
>>>>
>>>>
>>>>
>>>>> RELEASE SOFTWARE (fc3)
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________________________________
>>>>
>>>>
>>>>
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Previous message: Moazzam Daimi: "Invitation to join Cisco CCIE"
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART