Re: HELP - I locked myself after enabling aaa new-model ...

From: Pavel Bykov (slidersv@gmail.com)
Date: Sun Sep 14 2008 - 21:20:50 ART

• Next message: Huan Pham: "RE: HELP - I locked myself after enabling aaa new-model ..."
• Previous message: Huan Pham: "RE: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Huan Pham: "RE: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Please try "transport input telnet" on the VTYI think I've seen an IOS bug
that did similar to what you are experiencing.

On Mon, Sep 15, 2008 at 1:39 AM, Huan Pham
<Huan.Pham@peopletelecom.com.au>wrote:

> Hi Paul,
>
> You're right. That's my understanding. Also that's what Brian said.
>
> I tried setting up a local username, but it did not help. As you saw in
> my previous post, when I removed " login authentication VTY_LINE" from
> vty line, I did not get any prompt for username at all! Things are
> working fine on C3640.
>
> This must be a bug. Do you have recommendation for a particular IOS
> version I should use?
>
> Regards,
>
> Huan
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> paul cosgrove
> Sent: Monday, 15 September 2008 1:32 AM
> To: Huan Pham
> Cc: Huzefa; CCIE Lab
> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>
> Brian's config looks fine (as you would expect). Upgrade the IOS, or
> create a local username/password and have your VTYs use that instead of
> the line password.
>
> Even after you have removed the "login authentication" command you
> should still be able to telnet. The switch should use the default
> method (local - unless you have changed that for dot1x), though you will
>
> obviously not be able to login unless you defined a username/password.
>
> If this does not work then you have another incentive to upgrade.
>
> Paul.
>
> Huan Pham wrote:
> > Thanks,
> >
> > I still have access to the routers, switches via console. I am only
> unable to telnet to it. So I do not need to do password recovery.
> >
> > I am just asking the proper way to enable AAA, (so that I can do DOT1X
> Authentication on a switch).
> >
> > Regards,
> >
> >
> > --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
> >
> >
> >> From: Huzefa <ratlamwala.huzefa@gmail.com>
> >> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
> >> To: "Huan Pham" <pnhuan@yahoo.com>
> >> Cc: "CCIE Lab" <ccielab@groupstudy.com>
> >> Date: Sunday, September 14, 2008, 10:56 PM Huan You can always try
> >> 'Breaking' the password on any Cisco box, check out the Configuration
>
> >> Guide for more details.
> >>
> >> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham <pnhuan@yahoo.com> wrote:
> >>
> >>
> >>> .... using Brian Dennis's COD recommended approach
> >>>
> >> and configuration ;-)
> >>
> >>> Here's the config.
> >>>
> >>> aaa new-model
> >>> aaa authentication login VTY_LINE line line vty 0 15 password cisco
>
> >>> login authentication VTY_LINE
> >>>
> >>>
> >>> I tried this config on both 3560 and 3550, ending up
> >>>
> >> with the same problem
> >>
> >>> as described above.
> >>>
> >>> I applied the same config on a 3640 router, it worked
> >>>
> >> the way I expected,
> >>
> >>> i.e. I was able to log on using a password (without
> >>>
> >> username). If I removed
> >>
> >>> the vty command "login authentication
> >>>
> >> VTY_LINE", I was unable to telnet to
> >>
> >>> the router, also as I expected.
> >>>
> >>> Maybe the IOS version I used for my switches has a
> >>>
> >> bug, or I am missing
> >>
> >>> something basic here. Help appreciated.
> >>>
> >>>
> >>> Huan
> >>>
> >>>
> >>>
> >>>
> >>> RSRack1SW3#sh ver | in IOS
> >>> Cisco IOS Software, C3550 Software
> >>>
> >> (C3550-IPSERVICESK9-M), Version
> >>
> >>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
> >>>
> >>> RSRack1SW2#sh ver | in IOS
> >>> Cisco IOS Software, C3560 Software
> >>>
> >> (C3560-ADVIPSERVICESK9-M), Version
> >>
> >>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
> >>>
> >>> RSRack1SW2#sh run | in aaa
> >>> aaa new-model
> >>> aaa authentication login VTY_LINE line aaa session-id common
> >>>
> >>> RSRack1SW2#sh run | b line vty
> >>> line vty 0 4
> >>> password cisco
> >>> login authentication VTY_LINE
> >>> line vty 5 15
> >>> password cisco
> >>> login authentication VTY_LINE
> >>> !
> >>> end
> >>>
> >>> RSRack1SW2#sh ip int brief | in Loop
> >>> Loopback0 150.1.8.8 YES NVRAM up
> >>>
> >> up
> >>
> >>> RSRack1SW2#telnet 150.1.8.8
> >>> Trying 150.1.8.8 ... Open
> >>>
> >>>
> >>> ! -_- NO LOGIN PROMPT -_-
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> RSRack1R3#c
> >>> Enter configuration commands, one per line. End with
> >>>
> >> CNTL/Z.
> >>
> >>> RSRack1R3(config)#aaa new-model
> >>> RSRack1R3(config)#aaa authentication login VTY_LINE
> >>>
> >> line
> >>
> >>> RSRack1R3(config)#line vty 0 15
> >>> RSRack1R3(config-line)# password cisco RSRack1R3(config-line)# login
>
> >>> authentication VTY_LINE RSRack1R3(config-line)#
> >>> RSRack1R3(config-line)# RSRack1R3#t *Mar 1 17:10:57.675:
> >>> %SYS-5-CONFIG_I: Configured from
> >>>
> >> console by console
> >>
> >>> RSRack1R3#telnet 150.1.3.3
> >>> Trying 150.1.3.3 ... Open
> >>>
> >>>
> >>> User Access Verification
> >>>
> >>> Password:
> >>>
> >>> RSRack1R3#sh ver | in IOS
> >>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
> >>>
> >> Version 12.4(5a),
> >>
> >>> RELEASE SOFTWARE (fc3)
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>>
> >>>
> >> _____________________________________________________________________
> >> __
> >>
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _____________________________________________________________________
> >> __ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Pavel Bykov
-------------------------------------------------
Stop the braindumps!
http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: Huan Pham: "RE: HELP - I locked myself after enabling aaa new-model ..."
• Previous message: Huan Pham: "RE: HELP - I locked myself after enabling aaa new-model ..."
• Maybe in reply to: Huan Pham: "HELP - I locked myself after enabling aaa new-model ..."
• Next in thread: Huan Pham: "RE: HELP - I locked myself after enabling aaa new-model ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART