Re: HELP - I locked myself after enabling aaa new-model ...

From: paul cosgrove (paul.cosgrove@heanet.ie)
Date: Sun Sep 14 2008 - 17:54:36 ART

Interesting. I suppose the authentication method will have to be
checked in order to determine what prompt to display.

Paul

Farrukh Haroon wrote:
> I faced a similar issue once, e.g. I made a AAA method list with the
> name 'abc' and applied it to the VTY line. Then I removed that method
> list and re-configured it with the same name 'abc'. One would expect
> that the line vty would not require re-entering the 'login
> authentication abc' command since I was using the same name. But
> surprisingly, when I ran the debugs I found out that instead of using
> the name 'abc', there was an internal integer/number used by the IOS
> to map the method list to the line. Since the new 'abc' method list
> had a different number than the OLD 'abc' method list, AAA broke! This
> is just one example. I don't know if this was a bug or a 'feature' :)
>
> Regards
>
> Farrukh
>
> On Sun, Sep 14, 2008 at 10:00 PM, paul cosgrove
> <paul.cosgrove@heanet.ie <mailto:paul.cosgrove@heanet.ie>> wrote:
>
> Well no doubt Huan will let us know how he resolves the problem.
> I'm just not clear what information you expect to see from 'debug
> tacacs' and 'debug author' when neither have been configured, or
> 'debug authen' before authentication has been attempted.
>
> Paul
>
>
> Farrukh Haroon wrote:
>
> It 'may not' show much but it 'might' show something :)
>
> Regards
>
> Farrukh
>
> On Sun, Sep 14, 2008 at 8:38 PM, paul cosgrove
> <paul.cosgrove@heanet.ie <mailto:paul.cosgrove@heanet.ie>>wrote:
>
>
>
> Hi Farrukh,
>
> Huan included command output at the end of his email
> showing that the
> switch does not display a command prompt when he telnets
> to it. Only
> authentication has been configured and he is unable to
> enter authentication
> details without a command prompt, so the debugs may not
> show much in this
> case.
>
> Paul.
>
>
> Farrukh Haroon wrote:
>
>
>
> Just do a debug on the following and see what exactly
> is going wrong:
>
> debug aaa authen
> debug aaa author
> debug tacacs|radius
>
> Regards
>
> Farrukh
>
> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove
> <paul.cosgrove@heanet.ie <mailto:paul.cosgrove@heanet.ie>
>
>
> wrote:
>
>
>
>
>
> Brian's config looks fine (as you would expect).
> Upgrade the IOS, or
> create a local username/password and have your
> VTYs use that instead of
> the
> line password.
>
> Even after you have removed the "login
> authentication" command you should
> still be able to telnet. The switch should use
> the default method (local
> -
> unless you have changed that for dot1x), though
> you will obviously not be
> able to login unless you defined a
> username/password. If this does not
> work then you have another incentive to upgrade.
>
> Paul.
>
>
> Huan Pham wrote:
>
>
>
>
>
> Thanks,
>
> I still have access to the routers, switches
> via console. I am only
> unable
> to telnet to it. So I do not need to do
> password recovery.
> I am just asking the proper way to enable AAA,
> (so that I can do DOT1X
> Authentication on a switch).
>
> Regards,
>
>
> --- On Sun, 9/14/08, Huzefa
> <ratlamwala.huzefa@gmail.com
> <mailto:ratlamwala.huzefa@gmail.com>> wrote:
>
>
>
>
>
>
>
> From: Huzefa <ratlamwala.huzefa@gmail.com
> <mailto:ratlamwala.huzefa@gmail.com>>
> Subject: Re: HELP - I locked myself after
> enabling aaa new-model ...
> To: "Huan Pham" <pnhuan@yahoo.com
> <mailto:pnhuan@yahoo.com>>
> Cc: "CCIE Lab" <ccielab@groupstudy.com
> <mailto:ccielab@groupstudy.com>>
> Date: Sunday, September 14, 2008, 10:56 PM
> Huan
> You can always try 'Breaking' the password
> on any
> Cisco box, check out the
> Configuration Guide for more details.
>
> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham
> <pnhuan@yahoo.com
> <mailto:pnhuan@yahoo.com>> wrote:
>
>
>
>
>
>
>
> .... using Brian Dennis's COD
> recommended approach
>
>
>
>
>
>
> and configuration ;-)
>
>
>
>
>
>
> Here's the config.
>
> aaa new-model
> aaa authentication login VTY_LINE line
> line vty 0 15
> password cisco
> login authentication VTY_LINE
>
>
> I tried this config on both 3560 and
> 3550, ending up
>
>
>
>
>
>
> with the same problem
>
>
>
>
>
>
> as described above.
>
> I applied the same config on a 3640
> router, it worked
>
>
>
>
>
>
> the way I expected,
>
>
>
>
>
>
> i.e. I was able to log on using a
> password (without
>
>
>
>
>
>
> username). If I removed
>
>
>
>
>
>
> the vty command "login authentication
>
>
>
>
>
>
> VTY_LINE", I was unable to telnet to
>
>
>
>
>
>
> the router, also as I expected.
>
> Maybe the IOS version I used for my
> switches has a
>
>
>
>
>
>
> bug, or I am missing
>
>
>
>
>
>
> something basic here. Help appreciated.
>
>
> Huan
>
>
>
>
> RSRack1SW3#sh ver | in IOS
> Cisco IOS Software, C3550 Software
>
>
>
>
>
>
> (C3550-IPSERVICESK9-M), Version
>
>
>
>
>
>
> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>
> RSRack1SW2#sh ver | in IOS
> Cisco IOS Software, C3560 Software
>
>
>
>
>
>
> (C3560-ADVIPSERVICESK9-M), Version
>
>
>
>
>
>
> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>
> RSRack1SW2#sh run | in aaa
> aaa new-model
> aaa authentication login VTY_LINE line
> aaa session-id common
>
> RSRack1SW2#sh run | b line vty
> line vty 0 4
> password cisco
> login authentication VTY_LINE
> line vty 5 15
> password cisco
> login authentication VTY_LINE
> !
> end
>
> RSRack1SW2#sh ip int brief | in Loop
> Loopback0 150.1.8.8
> <http://150.1.8.8> YES NVRAM up
>
>
>
>
>
> up
>
>
>
>
>
>
> RSRack1SW2#telnet 150.1.8.8
> <http://150.1.8.8>
> Trying 150.1.8.8 <http://150.1.8.8>
> ... Open
>
>
> ! -_- NO LOGIN PROMPT -_-
>
>
>
>
>
>
> RSRack1R3#c
> Enter configuration commands, one per
> line. End with
>
>
>
>
>
>
> CNTL/Z.
>
>
>
>
>
>
> RSRack1R3(config)#aaa new-model
> RSRack1R3(config)#aaa authentication
> login VTY_LINE
>
>
>
>
>
>
> line
>
>
>
>
>
>
> RSRack1R3(config)#line vty 0 15
> RSRack1R3(config-line)# password cisco
> RSRack1R3(config-line)# login
> authentication VTY_LINE
> RSRack1R3(config-line)#
> RSRack1R3(config-line)#
> RSRack1R3#t
> *Mar 1 17:10:57.675: %SYS-5-CONFIG_I:
> Configured from
>
>
>
>
>
>
> console by console
>
>
>
>
>
>
> RSRack1R3#telnet 150.1.3.3
> <http://150.1.3.3>
> Trying 150.1.3.3 <http://150.1.3.3>
> ... Open
>
>
> User Access Verification
>
> Password:
>
> RSRack1R3#sh ver | in IOS
> Cisco IOS Software, 3600 Software
> (C3640-JK9O3S-M),
>
>
>
>
>
>
> Version 12.4(5a),
>
>
>
>
>
>
> RELEASE SOFTWARE (fc3)
>
>
> Blogs and organic groups at
> http://www.ccie.net
>
>
>
>
>
>
>
>
> _______________________________________________________________________
>
>
>
>
>
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> Blogs and organic groups at
> http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART