RE: HELP - I locked myself after enabling aaa new-model ...

From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Sun Sep 14 2008 - 21:26:58 ART

Hi Farrukh and Paul,

I have not set up TACACS nor RADIUS. The debug aaa authentication showed
that LINE_VTY authentication was chosen (as it should be).

However, when LINE_VTY was set up to use "line" authentication, telnet
to the router got locked up.

Correction from my previous posts: When I removed "login authentication
VTY_LINE" from vty, I was able to log on using username/password.

In addition, when I set up VTY_LINE authentication to explicitly use
Local, or None, then the router also worked the way it should (telnet
access is allowed).

So only problem I see is when I set up vty to use line authentication.

I am going to upgrade my IOS. I am quite sure that it will fix the
problem.

What IOS version do you recommend for switches?

Regards,

Huan

RSRack1SW2#show debug
General OS:
  TACACS access control debugging is on
  AAA Authentication debugging is on
  AAA Authorization debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#sh run | in aaa
aaa new-model
aaa authentication login VTY_LINE line
aaa session-id common
RSRack1SW2#sh run | b line vty
line vty 0 4
 privilege level 15
 password cisco
 login authentication VTY_LINE
line vty 5 15
 password cisco
 login authentication VTY_LINE
!
end

RSRack1SW2#telnet 150.1.8.8
Trying 150.1.8.8 ... Open

*Mar 1 00:15:25.515: AAA/BIND(00000009): Bind i/f
*Mar 1 00:15:25.515: AAA/AUTHEN/LOGIN (00000009): Pick method list
'VTY_LINE'

#####################################################################
-_- NO PROMPT for Username nor Passsword, I used break to get out -_-
#####################################################################

RSRack1SW2#disc
Closing connection to 150.1.8.8 [confirm]
RSRack1SW2#
RSRack1SW2#c
Enter configuration commands, one per line. End with CNTL/Z.
RSRack1SW2(config)#line vty 0 15
RSRack1SW2(config-line)#no login authentication VTY_LINE
RSRack1SW2(config-line)#
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#

RSRack1SW2#telnet 150.1.8.8
Trying 150.1.8.8 ... Open

User Access Verification

#####################################################################
^_^ PROMPT for Username, I was able to login ^_^
#####################################################################

Username: cisco
*Mar 1 00:19:22.686: AAA/BIND(0000000A): Bind i/f
*Mar 1 00:19:22.686: AAA/AUTHEN/LOGIN (0000000A): Pick method list
'Permanent Local'
Password:

RSRack1SW2#
*Mar 1 00:19:25.756: AAA/AUTHOR (0000000A): Method list id=0 not
configured. Skip author
RSRack1SW2#

RSRack1SW2#c
Enter configuration commands, one per line. End with CNTL/Z.
RSRack1SW2(config)#aaa authentication login VTY_LINE none
RSRack1SW2(config)#line vty 0 15
RSRack1SW2(config-line)# login authentication VTY_LINE
RSRack1SW2(config-line)#
RSRack1SW2#

RSRack1SW2#telnet 150.1.8.8
Trying 150.1.8.8 ... Open

#####################################################################
^_^ I was able to login without any login ^_^
#####################################################################

RSRack1SW2>
*Mar 1 00:23:52.623: AAA/BIND(0000000B): Bind i/f
*Mar 1 00:23:52.631: AAA/AUTHEN/LOGIN (0000000B): Pick method list
'VTY_LINE'
*Mar 1 00:23:52.631: AAA/AUTHOR (0000000B): Method list id=0 not
configured. Skip author

RSRack1SW2#c
Enter configuration commands, one per line. End with CNTL/Z.
RSRack1SW2(config)#aaa authentication login VTY_LINE local
RSRack1SW2(config)#
RSRack1SW2#
RSRack1SW2#
RSRack1SW2#telnet 150.1.8.8
*Mar 1 00:37:50.947: %SYS-5-CONFIG_I: Configured from console by cisco
on vty4 (150.1.8.8)
Trying 150.1.8.8 ... Open

User Access Verification

#####################################################################
^_^ PROMPT for Username, I was able to login ^_^
#####################################################################

Username: cisco
*Mar 1 00:37:54.159: AAA/BIND(0000000C): Bind i/f
*Mar 1 00:37:54.159: AAA/AUTHEN/LOGIN (0000000C): Pick method list
'VTY_LINE'
Password:

RSRack1SW2>
*Mar 1 00:37:57.339: AAA/AUTHOR (0000000C): Method list id=0 not
configured. Skip authorexit

[Connection to 150.1.8.8 closed by foreign host]

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: Monday, 15 September 2008 4:14 AM
To: paul cosgrove
Cc: Huan Pham; Huzefa; CCIE Lab
Subject: Re: HELP - I locked myself after enabling aaa new-model ...

It 'may not' show much but it 'might' show something :)

Regards

Farrukh

On Sun, Sep 14, 2008 at 8:38 PM, paul cosgrove
<paul.cosgrove@heanet.ie>wrote:

> Hi Farrukh,
>
> Huan included command output at the end of his email showing that the
> switch does not display a command prompt when he telnets to it. Only
> authentication has been configured and he is unable to enter
> authentication details without a command prompt, so the debugs may not

> show much in this case.
>
> Paul.
>
>
> Farrukh Haroon wrote:
>
>> Just do a debug on the following and see what exactly is going wrong:
>>
>> debug aaa authen
>> debug aaa author
>> debug tacacs|radius
>>
>> Regards
>>
>> Farrukh
>>
>> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove
>> <paul.cosgrove@heanet.ie
>> >wrote:
>>
>>
>>
>>> Brian's config looks fine (as you would expect). Upgrade the IOS,
>>> or create a local username/password and have your VTYs use that
>>> instead of the line password.
>>>
>>> Even after you have removed the "login authentication" command you
>>> should still be able to telnet. The switch should use the default
>>> method (local
>>> -
>>> unless you have changed that for dot1x), though you will obviously
not be
>>> able to login unless you defined a username/password. If this does
not
>>> work then you have another incentive to upgrade.
>>>
>>> Paul.
>>>
>>>
>>> Huan Pham wrote:
>>>
>>>
>>>
>>>> Thanks,
>>>>
>>>> I still have access to the routers, switches via console. I am only

>>>> unable to telnet to it. So I do not need to do password recovery.
>>>> I am just asking the proper way to enable AAA, (so that I can do
>>>> DOT1X Authentication on a switch).
>>>>
>>>> Regards,
>>>>
>>>>
>>>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>>>> Subject: Re: HELP - I locked myself after enabling aaa new-model
...
>>>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>>>> Date: Sunday, September 14, 2008, 10:56 PM Huan You can always try

>>>>> 'Breaking' the password on any Cisco box, check out the
>>>>> Configuration Guide for more details.
>>>>>
>>>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham <pnhuan@yahoo.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> .... using Brian Dennis's COD recommended approach
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> and configuration ;-)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Here's the config.
>>>>>>
>>>>>> aaa new-model
>>>>>> aaa authentication login VTY_LINE line line vty 0 15 password
>>>>>> cisco login authentication VTY_LINE
>>>>>>
>>>>>>
>>>>>> I tried this config on both 3560 and 3550, ending up
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> with the same problem
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> as described above.
>>>>>>
>>>>>> I applied the same config on a 3640 router, it worked
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> the way I expected,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> i.e. I was able to log on using a password (without
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> username). If I removed
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> the vty command "login authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> VTY_LINE", I was unable to telnet to
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> the router, also as I expected.
>>>>>>
>>>>>> Maybe the IOS version I used for my switches has a
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> bug, or I am missing
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> something basic here. Help appreciated.
>>>>>>
>>>>>>
>>>>>> Huan
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> RSRack1SW3#sh ver | in IOS
>>>>>> Cisco IOS Software, C3550 Software
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> (C3550-IPSERVICESK9-M), Version
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>
>>>>>> RSRack1SW2#sh ver | in IOS
>>>>>> Cisco IOS Software, C3560 Software
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> (C3560-ADVIPSERVICESK9-M), Version
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>
>>>>>> RSRack1SW2#sh run | in aaa
>>>>>> aaa new-model
>>>>>> aaa authentication login VTY_LINE line aaa session-id common
>>>>>>
>>>>>> RSRack1SW2#sh run | b line vty
>>>>>> line vty 0 4
>>>>>> password cisco
>>>>>> login authentication VTY_LINE
>>>>>> line vty 5 15
>>>>>> password cisco
>>>>>> login authentication VTY_LINE
>>>>>> !
>>>>>> end
>>>>>>
>>>>>> RSRack1SW2#sh ip int brief | in Loop
>>>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>>>
>>>>>>
>>>>>>
>>>>> up
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1SW2#telnet 150.1.8.8
>>>>>> Trying 150.1.8.8 ... Open
>>>>>>
>>>>>>
>>>>>> ! -_- NO LOGIN PROMPT -_-
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> RSRack1R3#c
>>>>>> Enter configuration commands, one per line. End with
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> CNTL/Z.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1R3(config)#aaa new-model
>>>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> line
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1R3(config)#line vty 0 15
>>>>>> RSRack1R3(config-line)# password cisco RSRack1R3(config-line)#
>>>>>> login authentication VTY_LINE RSRack1R3(config-line)#
>>>>>> RSRack1R3(config-line)# RSRack1R3#t *Mar 1 17:10:57.675:
>>>>>> %SYS-5-CONFIG_I: Configured from
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> console by console
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RSRack1R3#telnet 150.1.3.3
>>>>>> Trying 150.1.3.3 ... Open
>>>>>>
>>>>>>
>>>>>> User Access Verification
>>>>>>
>>>>>> Password:
>>>>>>
>>>>>> RSRack1R3#sh ver | in IOS
>>>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Version 12.4(5a),
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> RELEASE SOFTWARE (fc3)
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> __________________________________________________________________
>>>>> _____
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> __________________________________________________________________
>>>>> _____ Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> ___________________________________________________________________
>>>> ____ Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ____________________________________________________________________
>>> ___ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART