From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Sun Sep 14 2008 - 21:31:32 ART
Thanks Pavel for your suggestion. However, that trick did not help
RSRack1SW2#sh run | in aaa
aaa new-model
aaa authentication login VTY_LINE line
aaa session-id common
RSRack1SW2#sh run | b line vty
line vty 0 4
privilege level 15
password cisco
login authentication VTY_LINE
transport input telnet
line vty 5 15
password cisco
login authentication VTY_LINE
transport input telnet
!
end
RSRack1SW2#telnet 150.1.8.8
Trying 150.1.8.8 ... Open
*Mar 1 00:53:09.264: AAA/BIND(0000000E): Bind i/f
*Mar 1 00:53:09.264: AAA/AUTHEN/LOGIN (0000000E): Pick method list
'VTY_LINE'
#####################################################################
-_- NO PROMPT for Username nor Passsword, I used break to get out -_-
#####################################################################
________________________________
From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Monday, 15 September 2008 10:21 AM
To: Huan Pham
Cc: paul cosgrove; Huzefa; CCIE Lab
Subject: Re: HELP - I locked myself after enabling aaa new-model ...
Please try "transport input telnet" on the VTY
I think I've seen an IOS bug that did similar to what you are
experiencing.
On Mon, Sep 15, 2008 at 1:39 AM, Huan Pham
<Huan.Pham@peopletelecom.com.au> wrote:
Hi Paul,
You're right. That's my understanding. Also that's what Brian
said.
I tried setting up a local username, but it did not help. As you
saw in
my previous post, when I removed " login authentication
VTY_LINE" from
vty line, I did not get any prompt for username at all! Things
are
working fine on C3640.
This must be a bug. Do you have recommendation for a particular
IOS
version I should use?
Regards,
Huan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
paul cosgrove
Sent: Monday, 15 September 2008 1:32 AM
To: Huan Pham
Cc: Huzefa; CCIE Lab
Subject: Re: HELP - I locked myself after enabling aaa new-model
...
Brian's config looks fine (as you would expect). Upgrade the
IOS, or
create a local username/password and have your VTYs use that
instead of
the line password.
Even after you have removed the "login authentication" command
you
should still be able to telnet. The switch should use the
default
method (local - unless you have changed that for dot1x), though
you will
obviously not be able to login unless you defined a
username/password.
If this does not work then you have another incentive to
upgrade.
Paul.
Huan Pham wrote:
> Thanks,
>
> I still have access to the routers, switches via console. I am
only
unable to telnet to it. So I do not need to do password
recovery.
>
> I am just asking the proper way to enable AAA, (so that I can
do DOT1X
Authentication on a switch).
>
> Regards,
>
>
> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com>
wrote:
>
>
>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>> Subject: Re: HELP - I locked myself after enabling aaa
new-model ...
>> To: "Huan Pham" <pnhuan@yahoo.com>
>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>> Date: Sunday, September 14, 2008, 10:56 PM Huan You can
always try
>> 'Breaking' the password on any Cisco box, check out the
Configuration
>> Guide for more details.
>>
>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham <pnhuan@yahoo.com>
wrote:
>>
>>
>>> .... using Brian Dennis's COD recommended approach
>>>
>> and configuration ;-)
>>
>>> Here's the config.
>>>
>>> aaa new-model
>>> aaa authentication login VTY_LINE line line vty 0 15
password cisco
>>> login authentication VTY_LINE
>>>
>>>
>>> I tried this config on both 3560 and 3550, ending up
>>>
>> with the same problem
>>
>>> as described above.
>>>
>>> I applied the same config on a 3640 router, it worked
>>>
>> the way I expected,
>>
>>> i.e. I was able to log on using a password (without
>>>
>> username). If I removed
>>
>>> the vty command "login authentication
>>>
>> VTY_LINE", I was unable to telnet to
>>
>>> the router, also as I expected.
>>>
>>> Maybe the IOS version I used for my switches has a
>>>
>> bug, or I am missing
>>
>>> something basic here. Help appreciated.
>>>
>>>
>>> Huan
>>>
>>>
>>>
>>>
>>> RSRack1SW3#sh ver | in IOS
>>> Cisco IOS Software, C3550 Software
>>>
>> (C3550-IPSERVICESK9-M), Version
>>
>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>
>>> RSRack1SW2#sh ver | in IOS
>>> Cisco IOS Software, C3560 Software
>>>
>> (C3560-ADVIPSERVICESK9-M), Version
>>
>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>
>>> RSRack1SW2#sh run | in aaa
>>> aaa new-model
>>> aaa authentication login VTY_LINE line aaa session-id common
>>>
>>> RSRack1SW2#sh run | b line vty
>>> line vty 0 4
>>> password cisco
>>> login authentication VTY_LINE
>>> line vty 5 15
>>> password cisco
>>> login authentication VTY_LINE
>>> !
>>> end
>>>
>>> RSRack1SW2#sh ip int brief | in Loop
>>> Loopback0 150.1.8.8 YES NVRAM up
>>>
>> up
>>
>>> RSRack1SW2#telnet 150.1.8.8
>>> Trying 150.1.8.8 ... Open
>>>
>>>
>>> ! -_- NO LOGIN PROMPT -_-
>>>
>>>
>>>
>>>
>>>
>>>
>>> RSRack1R3#c
>>> Enter configuration commands, one per line. End with
>>>
>> CNTL/Z.
>>
>>> RSRack1R3(config)#aaa new-model
>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>
>> line
>>
>>> RSRack1R3(config)#line vty 0 15
>>> RSRack1R3(config-line)# password cisco
RSRack1R3(config-line)# login
>>> authentication VTY_LINE RSRack1R3(config-line)#
>>> RSRack1R3(config-line)# RSRack1R3#t *Mar 1 17:10:57.675:
>>> %SYS-5-CONFIG_I: Configured from
>>>
>> console by console
>>
>>> RSRack1R3#telnet 150.1.3.3
>>> Trying 150.1.3.3 ... Open
>>>
>>>
>>> User Access Verification
>>>
>>> Password:
>>>
>>> RSRack1R3#sh ver | in IOS
>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>
>> Version 12.4(5a),
>>
>>> RELEASE SOFTWARE (fc3)
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>>
>>>
>>
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART