Re: HELP - I locked myself after enabling aaa new-model ...

From: paul cosgrove (paul.cosgrove@heanet.ie)
Date: Sun Sep 14 2008 - 16:00:35 ART

• Next message: jeremy co: "Re: policing based on nbar"
• Previous message: Igor M.: "RE: filtering igmp reports"
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well no doubt Huan will let us know how he resolves the problem. I'm
just not clear what information you expect to see from 'debug tacacs'
and 'debug author' when neither have been configured, or 'debug authen'
before authentication has been attempted.

Paul

Farrukh Haroon wrote:
> It 'may not' show much but it 'might' show something :)
>
> Regards
>
> Farrukh
>
> On Sun, Sep 14, 2008 at 8:38 PM, paul cosgrove <paul.cosgrove@heanet.ie>wrote:
>
>
>> Hi Farrukh,
>>
>> Huan included command output at the end of his email showing that the
>> switch does not display a command prompt when he telnets to it. Only
>> authentication has been configured and he is unable to enter authentication
>> details without a command prompt, so the debugs may not show much in this
>> case.
>>
>> Paul.
>>
>>
>> Farrukh Haroon wrote:
>>
>>
>>> Just do a debug on the following and see what exactly is going wrong:
>>>
>>> debug aaa authen
>>> debug aaa author
>>> debug tacacs|radius
>>>
>>> Regards
>>>
>>> Farrukh
>>>
>>> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove <paul.cosgrove@heanet.ie
>>>
>>>> wrote:
>>>>
>>>
>>>
>>>> Brian's config looks fine (as you would expect). Upgrade the IOS, or
>>>> create a local username/password and have your VTYs use that instead of
>>>> the
>>>> line password.
>>>>
>>>> Even after you have removed the "login authentication" command you should
>>>> still be able to telnet. The switch should use the default method (local
>>>> -
>>>> unless you have changed that for dot1x), though you will obviously not be
>>>> able to login unless you defined a username/password. If this does not
>>>> work then you have another incentive to upgrade.
>>>>
>>>> Paul.
>>>>
>>>>
>>>> Huan Pham wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Thanks,
>>>>>
>>>>> I still have access to the routers, switches via console. I am only
>>>>> unable
>>>>> to telnet to it. So I do not need to do password recovery.
>>>>> I am just asking the proper way to enable AAA, (so that I can do DOT1X
>>>>> Authentication on a switch).
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>>>>> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>>>>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>>>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>>>>> Date: Sunday, September 14, 2008, 10:56 PM
>>>>>> Huan
>>>>>> You can always try 'Breaking' the password on any
>>>>>> Cisco box, check out the
>>>>>> Configuration Guide for more details.
>>>>>>
>>>>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
>>>>>> <pnhuan@yahoo.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> .... using Brian Dennis's COD recommended approach
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and configuration ;-)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Here's the config.
>>>>>>>
>>>>>>> aaa new-model
>>>>>>> aaa authentication login VTY_LINE line
>>>>>>> line vty 0 15
>>>>>>> password cisco
>>>>>>> login authentication VTY_LINE
>>>>>>>
>>>>>>>
>>>>>>> I tried this config on both 3560 and 3550, ending up
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> with the same problem
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> as described above.
>>>>>>>
>>>>>>> I applied the same config on a 3640 router, it worked
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> the way I expected,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> i.e. I was able to log on using a password (without
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> username). If I removed
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> the vty command "login authentication
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> VTY_LINE", I was unable to telnet to
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> the router, also as I expected.
>>>>>>>
>>>>>>> Maybe the IOS version I used for my switches has a
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> bug, or I am missing
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> something basic here. Help appreciated.
>>>>>>>
>>>>>>>
>>>>>>> Huan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> RSRack1SW3#sh ver | in IOS
>>>>>>> Cisco IOS Software, C3550 Software
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> (C3550-IPSERVICESK9-M), Version
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>>
>>>>>>> RSRack1SW2#sh ver | in IOS
>>>>>>> Cisco IOS Software, C3560 Software
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> (C3560-ADVIPSERVICESK9-M), Version
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>>
>>>>>>> RSRack1SW2#sh run | in aaa
>>>>>>> aaa new-model
>>>>>>> aaa authentication login VTY_LINE line
>>>>>>> aaa session-id common
>>>>>>>
>>>>>>> RSRack1SW2#sh run | b line vty
>>>>>>> line vty 0 4
>>>>>>> password cisco
>>>>>>> login authentication VTY_LINE
>>>>>>> line vty 5 15
>>>>>>> password cisco
>>>>>>> login authentication VTY_LINE
>>>>>>> !
>>>>>>> end
>>>>>>>
>>>>>>> RSRack1SW2#sh ip int brief | in Loop
>>>>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> up
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1SW2#telnet 150.1.8.8
>>>>>>> Trying 150.1.8.8 ... Open
>>>>>>>
>>>>>>>
>>>>>>> ! -_- NO LOGIN PROMPT -_-
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> RSRack1R3#c
>>>>>>> Enter configuration commands, one per line. End with
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> CNTL/Z.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1R3(config)#aaa new-model
>>>>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> line
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1R3(config)#line vty 0 15
>>>>>>> RSRack1R3(config-line)# password cisco
>>>>>>> RSRack1R3(config-line)# login authentication VTY_LINE
>>>>>>> RSRack1R3(config-line)#
>>>>>>> RSRack1R3(config-line)#
>>>>>>> RSRack1R3#t
>>>>>>> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> console by console
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1R3#telnet 150.1.3.3
>>>>>>> Trying 150.1.3.3 ... Open
>>>>>>>
>>>>>>>
>>>>>>> User Access Verification
>>>>>>>
>>>>>>> Password:
>>>>>>>
>>>>>>> RSRack1R3#sh ver | in IOS
>>>>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Version 12.4(5a),
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RELEASE SOFTWARE (fc3)
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________________________________
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: jeremy co: "Re: policing based on nbar"
• Previous message: Igor M.: "RE: filtering igmp reports"
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Farrukh Haroon: "Re: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART