Re: HELP - I locked myself after enabling aaa new-model ...

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sun Sep 14 2008 - 15:13:54 ART

• Next message: Igor M.: "RE: filtering igmp reports"
• Previous message: paul cosgrove: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: paul cosgrove: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It 'may not' show much but it 'might' show something :)

Regards

Farrukh

On Sun, Sep 14, 2008 at 8:38 PM, paul cosgrove <paul.cosgrove@heanet.ie>wrote:

> Hi Farrukh,
>
> Huan included command output at the end of his email showing that the
> switch does not display a command prompt when he telnets to it. Only
> authentication has been configured and he is unable to enter authentication
> details without a command prompt, so the debugs may not show much in this
> case.
>
> Paul.
>
>
> Farrukh Haroon wrote:
>
>> Just do a debug on the following and see what exactly is going wrong:
>>
>> debug aaa authen
>> debug aaa author
>> debug tacacs|radius
>>
>> Regards
>>
>> Farrukh
>>
>> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove <paul.cosgrove@heanet.ie
>> >wrote:
>>
>>
>>
>>> Brian's config looks fine (as you would expect). Upgrade the IOS, or
>>> create a local username/password and have your VTYs use that instead of
>>> the
>>> line password.
>>>
>>> Even after you have removed the "login authentication" command you should
>>> still be able to telnet. The switch should use the default method (local
>>> -
>>> unless you have changed that for dot1x), though you will obviously not be
>>> able to login unless you defined a username/password. If this does not
>>> work then you have another incentive to upgrade.
>>>
>>> Paul.
>>>
>>>
>>> Huan Pham wrote:
>>>
>>>
>>>
>>>> Thanks,
>>>>
>>>> I still have access to the routers, switches via console. I am only
>>>> unable
>>>> to telnet to it. So I do not need to do password recovery.
>>>> I am just asking the proper way to enable AAA, (so that I can do DOT1X
>>>> Authentication on a switch).
>>>>
>>>> Regards,
>>>>
>>>>
>>>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>>>> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>>>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>>>> Date: Sunday, September 14, 2008, 10:56 PM
>>>>> Huan
>>>>> You can always try 'Breaking' the password on any
>>>>> Cisco box, check out the
>>>>> Configuration Guide for more details.
>>>>>
>>>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
>>>>> <pnhuan@yahoo.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> .... using Brian Dennis's COD recommended approach
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> and configuration ;-)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Here's the config.
>>>>>>
>>>>>> aaa new-model
>>>>>> aaa authentication login VTY_LINE line
>>>>>> line vty 0 15
>>>>>> password cisco
>>>>>> login authentication VTY_LINE
>>>>>>
>>>>>>
>>>>>> I tried this config on both 3560 and 3550, ending up
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> with the same problem
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> as described above.
>>>>>>
>>>>>> I applied the same config on a 3640 router, it worked
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> the way I expected,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> i.e. I was able to log on using a password (without
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> username). If I removed
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> the vty command "login authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> VTY_LINE", I was unable to telnet to
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> the router, also as I expected.
>>>>>>
>>>>>> Maybe the IOS version I used for my switches has a
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> bug, or I am missing
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> something basic here. Help appreciated.
>>>>>>
>>>>>>
>>>>>> Huan
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> RSRack1SW3#sh ver | in IOS
>>>>>> Cisco IOS Software, C3550 Software
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> (C3550-IPSERVICESK9-M), Version
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>
>>>>>> RSRack1SW2#sh ver | in IOS
>>>>>> Cisco IOS Software, C3560 Software
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> (C3560-ADVIPSERVICESK9-M), Version
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>
>>>>>> RSRack1SW2#sh run | in aaa
>>>>>> aaa new-model
>>>>>> aaa authentication login VTY_LINE line
>>>>>> aaa session-id common
>>>>>>
>>>>>> RSRack1SW2#sh run | b line vty
>>>>>> line vty 0 4
>>>>>> password cisco
>>>>>> login authentication VTY_LINE
>>>>>> line vty 5 15
>>>>>> password cisco
>>>>>> login authentication VTY_LINE
>>>>>> !
>>>>>> end
>>>>>>
>>>>>> RSRack1SW2#sh ip int brief | in Loop
>>>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>>>
>>>>>>
>>>>>>
>>>>> up
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1SW2#telnet 150.1.8.8
>>>>>> Trying 150.1.8.8 ... Open
>>>>>>
>>>>>>
>>>>>> ! -_- NO LOGIN PROMPT -_-
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> RSRack1R3#c
>>>>>> Enter configuration commands, one per line. End with
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> CNTL/Z.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1R3(config)#aaa new-model
>>>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> line
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1R3(config)#line vty 0 15
>>>>>> RSRack1R3(config-line)# password cisco
>>>>>> RSRack1R3(config-line)# login authentication VTY_LINE
>>>>>> RSRack1R3(config-line)#
>>>>>> RSRack1R3(config-line)#
>>>>>> RSRack1R3#t
>>>>>> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> console by console
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1R3#telnet 150.1.3.3
>>>>>> Trying 150.1.3.3 ... Open
>>>>>>
>>>>>>
>>>>>> User Access Verification
>>>>>>
>>>>>> Password:
>>>>>>
>>>>>> RSRack1R3#sh ver | in IOS
>>>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Version 12.4(5a),
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RELEASE SOFTWARE (fc3)
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________________________________
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Igor M.: "RE: filtering igmp reports"
• Previous message: paul cosgrove: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: paul cosgrove: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART