From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sun Sep 14 2008 - 17:32:25 ART
I faced a similar issue once, e.g. I made a AAA method list with the name
'abc' and applied it to the VTY line. Then I removed that method list and
re-configured it with the same name 'abc'. One would expect that the line
vty would not require re-entering the 'login authentication abc' command
since I was using the same name. But surprisingly, when I ran the debugs I
found out that instead of using the name 'abc', there was an internal
integer/number used by the IOS to map the method list to the line. Since the
new 'abc' method list had a different number than the OLD 'abc' method list,
AAA broke! This is just one example. I don't know if this was a bug or a
'feature' :)
Regards
Farrukh
On Sun, Sep 14, 2008 at 10:00 PM, paul cosgrove <paul.cosgrove@heanet.ie>wrote:
> Well no doubt Huan will let us know how he resolves the problem. I'm just
> not clear what information you expect to see from 'debug tacacs' and 'debug
> author' when neither have been configured, or 'debug authen' before
> authentication has been attempted.
>
> Paul
>
>
> Farrukh Haroon wrote:
>
>> It 'may not' show much but it 'might' show something :)
>>
>> Regards
>>
>> Farrukh
>>
>> On Sun, Sep 14, 2008 at 8:38 PM, paul cosgrove <paul.cosgrove@heanet.ie
>> >wrote:
>>
>>
>>
>>> Hi Farrukh,
>>>
>>> Huan included command output at the end of his email showing that the
>>> switch does not display a command prompt when he telnets to it. Only
>>> authentication has been configured and he is unable to enter
>>> authentication
>>> details without a command prompt, so the debugs may not show much in this
>>> case.
>>>
>>> Paul.
>>>
>>>
>>> Farrukh Haroon wrote:
>>>
>>>
>>>
>>>> Just do a debug on the following and see what exactly is going wrong:
>>>>
>>>> debug aaa authen
>>>> debug aaa author
>>>> debug tacacs|radius
>>>>
>>>> Regards
>>>>
>>>> Farrukh
>>>>
>>>> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove <paul.cosgrove@heanet.ie
>>>>
>>>>
>>>>> wrote:
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>> Brian's config looks fine (as you would expect). Upgrade the IOS, or
>>>>> create a local username/password and have your VTYs use that instead of
>>>>> the
>>>>> line password.
>>>>>
>>>>> Even after you have removed the "login authentication" command you
>>>>> should
>>>>> still be able to telnet. The switch should use the default method
>>>>> (local
>>>>> -
>>>>> unless you have changed that for dot1x), though you will obviously not
>>>>> be
>>>>> able to login unless you defined a username/password. If this does
>>>>> not
>>>>> work then you have another incentive to upgrade.
>>>>>
>>>>> Paul.
>>>>>
>>>>>
>>>>> Huan Pham wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> I still have access to the routers, switches via console. I am only
>>>>>> unable
>>>>>> to telnet to it. So I do not need to do password recovery.
>>>>>> I am just asking the proper way to enable AAA, (so that I can do DOT1X
>>>>>> Authentication on a switch).
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>>>>>> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>>>>>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>>>>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>>>>>> Date: Sunday, September 14, 2008, 10:56 PM
>>>>>>> Huan
>>>>>>> You can always try 'Breaking' the password on any
>>>>>>> Cisco box, check out the
>>>>>>> Configuration Guide for more details.
>>>>>>>
>>>>>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
>>>>>>> <pnhuan@yahoo.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> .... using Brian Dennis's COD recommended approach
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> and configuration ;-)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Here's the config.
>>>>>>>>
>>>>>>>> aaa new-model
>>>>>>>> aaa authentication login VTY_LINE line
>>>>>>>> line vty 0 15
>>>>>>>> password cisco
>>>>>>>> login authentication VTY_LINE
>>>>>>>>
>>>>>>>>
>>>>>>>> I tried this config on both 3560 and 3550, ending up
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> with the same problem
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> as described above.
>>>>>>>>
>>>>>>>> I applied the same config on a 3640 router, it worked
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> the way I expected,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> i.e. I was able to log on using a password (without
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> username). If I removed
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> the vty command "login authentication
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> VTY_LINE", I was unable to telnet to
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> the router, also as I expected.
>>>>>>>>
>>>>>>>> Maybe the IOS version I used for my switches has a
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> bug, or I am missing
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> something basic here. Help appreciated.
>>>>>>>>
>>>>>>>>
>>>>>>>> Huan
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> RSRack1SW3#sh ver | in IOS
>>>>>>>> Cisco IOS Software, C3550 Software
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> (C3550-IPSERVICESK9-M), Version
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>>>
>>>>>>>> RSRack1SW2#sh ver | in IOS
>>>>>>>> Cisco IOS Software, C3560 Software
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> (C3560-ADVIPSERVICESK9-M), Version
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>>>
>>>>>>>> RSRack1SW2#sh run | in aaa
>>>>>>>> aaa new-model
>>>>>>>> aaa authentication login VTY_LINE line
>>>>>>>> aaa session-id common
>>>>>>>>
>>>>>>>> RSRack1SW2#sh run | b line vty
>>>>>>>> line vty 0 4
>>>>>>>> password cisco
>>>>>>>> login authentication VTY_LINE
>>>>>>>> line vty 5 15
>>>>>>>> password cisco
>>>>>>>> login authentication VTY_LINE
>>>>>>>> !
>>>>>>>> end
>>>>>>>>
>>>>>>>> RSRack1SW2#sh ip int brief | in Loop
>>>>>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> up
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> RSRack1SW2#telnet 150.1.8.8
>>>>>>>> Trying 150.1.8.8 ... Open
>>>>>>>>
>>>>>>>>
>>>>>>>> ! -_- NO LOGIN PROMPT -_-
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> RSRack1R3#c
>>>>>>>> Enter configuration commands, one per line. End with
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> CNTL/Z.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> RSRack1R3(config)#aaa new-model
>>>>>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> line
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> RSRack1R3(config)#line vty 0 15
>>>>>>>> RSRack1R3(config-line)# password cisco
>>>>>>>> RSRack1R3(config-line)# login authentication VTY_LINE
>>>>>>>> RSRack1R3(config-line)#
>>>>>>>> RSRack1R3(config-line)#
>>>>>>>> RSRack1R3#t
>>>>>>>> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I: Configured from
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> console by console
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> RSRack1R3#telnet 150.1.3.3
>>>>>>>> Trying 150.1.3.3 ... Open
>>>>>>>>
>>>>>>>>
>>>>>>>> User Access Verification
>>>>>>>>
>>>>>>>> Password:
>>>>>>>>
>>>>>>>> RSRack1R3#sh ver | in IOS
>>>>>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Version 12.4(5a),
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> RELEASE SOFTWARE (fc3)
>>>>>>>>
>>>>>>>>
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________________________________
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART