RE: HELP - I locked myself after enabling aaa new-model ...

From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Mon Sep 15 2008 - 23:10:23 ART

Hi all,

Thanks all for your help.

The problem has gone, after I upgraded IOS to 12.2(44)SE1 as suggested
by Paul.

Cheers,

SW1#c
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#aaa new-model
SW1(config)#aaa authentication login VTY_LINE line
SW1(config)#line vty 0 15
SW1(config-line)# password cisco
SW1(config-line)# login authentication VTY_LINE
SW1(config-line)#
SW1(config-line)#
SW1(config-line)#
SW1#
SW1#
SW1#
SW1#telnet
*Mar 1 00:02:40.331: %SYS-5-CONFIG_I: Configured from console by
console
SW1#telnet 150.1.7.7
Trying 150.1.7.7 ... Open

User Access Verification

Password:

SW1#sh ver | in IOS
Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version
12.2(44)SE1, RELEASE SOFTWARE (fc1)

 

-----Original Message-----
From: Paul Cosgrove [mailto:paul.cosgrove@heanet.ie]
Sent: Monday, 15 September 2008 7:00 PM
To: Huan Pham
Cc: Farrukh Haroon; CCIE Lab
Subject: Re: HELP - I locked myself after enabling aaa new-model ...

Hi Huan,

My own 3560 switches have 12.2(44)SE1 and 12.2(25)SED1 advanced ip
services. Your config works fine with both of these.

Paul.

Huan Pham wrote:
> Hi Farrukh and Paul,
>
> I have not set up TACACS nor RADIUS. The debug aaa authentication
> showed that LINE_VTY authentication was chosen (as it should be).
>
> However, when LINE_VTY was set up to use "line" authentication, telnet

> to the router got locked up.
>
> Correction from my previous posts: When I removed "login
> authentication VTY_LINE" from vty, I was able to log on using
username/password.
>
> In addition, when I set up VTY_LINE authentication to explicitly use
> Local, or None, then the router also worked the way it should (telnet
> access is allowed).
>
> So only problem I see is when I set up vty to use line authentication.
>
> I am going to upgrade my IOS. I am quite sure that it will fix the
> problem.
>
> What IOS version do you recommend for switches?
>
> Regards,
>
> Huan
>
>
>
>
> RSRack1SW2#show debug
> General OS:
> TACACS access control debugging is on
> AAA Authentication debugging is on
> AAA Authorization debugging is on
> Radius protocol debugging is on
> Radius packet protocol debugging is on RSRack1SW2# RSRack1SW2#
> RSRack1SW2# RSRack1SW2# RSRack1SW2# RSRack1SW2#sh run | in aaa aaa
> new-model aaa authentication login VTY_LINE line aaa session-id common

> RSRack1SW2#sh run | b line vty line vty 0 4 privilege level 15
> password cisco login authentication VTY_LINE line vty 5 15 password
> cisco login authentication VTY_LINE !
> end
>
>
>
> RSRack1SW2#telnet 150.1.8.8
> Trying 150.1.8.8 ... Open
>
> *Mar 1 00:15:25.515: AAA/BIND(00000009): Bind i/f *Mar 1
> 00:15:25.515: AAA/AUTHEN/LOGIN (00000009): Pick method list 'VTY_LINE'
>
> #####################################################################
> -_- NO PROMPT for Username nor Passsword, I used break to get out -_-
> #####################################################################
>
>
> RSRack1SW2#disc
> Closing connection to 150.1.8.8 [confirm] RSRack1SW2# RSRack1SW2#c
> Enter configuration commands, one per line. End with CNTL/Z.
> RSRack1SW2(config)#line vty 0 15
> RSRack1SW2(config-line)#no login authentication VTY_LINE
> RSRack1SW2(config-line)# RSRack1SW2# RSRack1SW2# RSRack1SW2#
> RSRack1SW2#
>
> RSRack1SW2#telnet 150.1.8.8
> Trying 150.1.8.8 ... Open
>
>
> User Access Verification
>
> #####################################################################
> ^_^ PROMPT for Username, I was able to login ^_^
> #####################################################################
>
>
> Username: cisco
> *Mar 1 00:19:22.686: AAA/BIND(0000000A): Bind i/f *Mar 1
> 00:19:22.686: AAA/AUTHEN/LOGIN (0000000A): Pick method list 'Permanent

> Local'
> Password:
>
> RSRack1SW2#
> *Mar 1 00:19:25.756: AAA/AUTHOR (0000000A): Method list id=0 not
> configured. Skip author RSRack1SW2#
>
>
>
> RSRack1SW2#c
> Enter configuration commands, one per line. End with CNTL/Z.
> RSRack1SW2(config)#aaa authentication login VTY_LINE none
> RSRack1SW2(config)#line vty 0 15 RSRack1SW2(config-line)# login
> authentication VTY_LINE RSRack1SW2(config-line)# RSRack1SW2#
>
>
> RSRack1SW2#telnet 150.1.8.8
> Trying 150.1.8.8 ... Open
>
> #####################################################################
> ^_^ I was able to login without any login ^_^
> #####################################################################
>
> RSRack1SW2>
> *Mar 1 00:23:52.623: AAA/BIND(0000000B): Bind i/f
> *Mar 1 00:23:52.631: AAA/AUTHEN/LOGIN (0000000B): Pick method list
> 'VTY_LINE'
> *Mar 1 00:23:52.631: AAA/AUTHOR (0000000B): Method list id=0 not
> configured. Skip author
>
>
>
> RSRack1SW2#c
> Enter configuration commands, one per line. End with CNTL/Z.
> RSRack1SW2(config)#aaa authentication login VTY_LINE local
> RSRack1SW2(config)#
> RSRack1SW2#
> RSRack1SW2#
> RSRack1SW2#telnet 150.1.8.8
> *Mar 1 00:37:50.947: %SYS-5-CONFIG_I: Configured from console by
cisco
> on vty4 (150.1.8.8)
> Trying 150.1.8.8 ... Open
>
>
> User Access Verification
>
> #####################################################################
> ^_^ PROMPT for Username, I was able to login ^_^
> #####################################################################
>
> Username: cisco
> *Mar 1 00:37:54.159: AAA/BIND(0000000C): Bind i/f
> *Mar 1 00:37:54.159: AAA/AUTHEN/LOGIN (0000000C): Pick method list
> 'VTY_LINE'
> Password:
>
> RSRack1SW2>
> *Mar 1 00:37:57.339: AAA/AUTHOR (0000000C): Method list id=0 not
> configured. Skip authorexit
>
> [Connection to 150.1.8.8 closed by foreign host]
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Farrukh Haroon
> Sent: Monday, 15 September 2008 4:14 AM
> To: paul cosgrove
> Cc: Huan Pham; Huzefa; CCIE Lab
> Subject: Re: HELP - I locked myself after enabling aaa new-model ...
>
> It 'may not' show much but it 'might' show something :)
>
> Regards
>
> Farrukh
>
> On Sun, Sep 14, 2008 at 8:38 PM, paul cosgrove
> <paul.cosgrove@heanet.ie>wrote:
>
>
>> Hi Farrukh,
>>
>> Huan included command output at the end of his email showing that the

>> switch does not display a command prompt when he telnets to it. Only

>> authentication has been configured and he is unable to enter
>> authentication details without a command prompt, so the debugs may
not
>>
>
>
>> show much in this case.
>>
>> Paul.
>>
>>
>> Farrukh Haroon wrote:
>>
>>
>>> Just do a debug on the following and see what exactly is going
wrong:
>>>
>>> debug aaa authen
>>> debug aaa author
>>> debug tacacs|radius
>>>
>>> Regards
>>>
>>> Farrukh
>>>
>>> On Sun, Sep 14, 2008 at 6:32 PM, paul cosgrove
>>> <paul.cosgrove@heanet.ie
>>>
>>>> wrote:
>>>>
>>>
>>>
>>>> Brian's config looks fine (as you would expect). Upgrade the IOS,
>>>> or create a local username/password and have your VTYs use that
>>>> instead of the line password.
>>>>
>>>> Even after you have removed the "login authentication" command you
>>>> should still be able to telnet. The switch should use the default
>>>> method (local
>>>> -
>>>> unless you have changed that for dot1x), though you will obviously
>>>>
> not be
>
>>>> able to login unless you defined a username/password. If this
does
>>>>
> not
>
>>>> work then you have another incentive to upgrade.
>>>>
>>>> Paul.
>>>>
>>>>
>>>> Huan Pham wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Thanks,
>>>>>
>>>>> I still have access to the routers, switches via console. I am
only
>>>>>
>
>
>>>>> unable to telnet to it. So I do not need to do password recovery.
>>>>> I am just asking the proper way to enable AAA, (so that I can do
>>>>> DOT1X Authentication on a switch).
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> --- On Sun, 9/14/08, Huzefa <ratlamwala.huzefa@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> From: Huzefa <ratlamwala.huzefa@gmail.com>
>>>>>> Subject: Re: HELP - I locked myself after enabling aaa new-model
>>>>>>
> ...
>
>>>>>> To: "Huan Pham" <pnhuan@yahoo.com>
>>>>>> Cc: "CCIE Lab" <ccielab@groupstudy.com>
>>>>>> Date: Sunday, September 14, 2008, 10:56 PM Huan You can always
try
>>>>>>
>
>
>>>>>> 'Breaking' the password on any Cisco box, check out the
>>>>>> Configuration Guide for more details.
>>>>>>
>>>>>> On Sun, Sep 14, 2008 at 3:49 PM, Huan Pham <pnhuan@yahoo.com>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> .... using Brian Dennis's COD recommended approach
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and configuration ;-)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Here's the config.
>>>>>>>
>>>>>>> aaa new-model
>>>>>>> aaa authentication login VTY_LINE line line vty 0 15 password
>>>>>>> cisco login authentication VTY_LINE
>>>>>>>
>>>>>>>
>>>>>>> I tried this config on both 3560 and 3550, ending up
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> with the same problem
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> as described above.
>>>>>>>
>>>>>>> I applied the same config on a 3640 router, it worked
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> the way I expected,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> i.e. I was able to log on using a password (without
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> username). If I removed
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> the vty command "login authentication
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> VTY_LINE", I was unable to telnet to
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> the router, also as I expected.
>>>>>>>
>>>>>>> Maybe the IOS version I used for my switches has a
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> bug, or I am missing
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> something basic here. Help appreciated.
>>>>>>>
>>>>>>>
>>>>>>> Huan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> RSRack1SW3#sh ver | in IOS
>>>>>>> Cisco IOS Software, C3550 Software
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> (C3550-IPSERVICESK9-M), Version
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>>
>>>>>>> RSRack1SW2#sh ver | in IOS
>>>>>>> Cisco IOS Software, C3560 Software
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> (C3560-ADVIPSERVICESK9-M), Version
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> 12.2(44)SE, RELEASE SOFTWARE (fc1)
>>>>>>>
>>>>>>> RSRack1SW2#sh run | in aaa
>>>>>>> aaa new-model
>>>>>>> aaa authentication login VTY_LINE line aaa session-id common
>>>>>>>
>>>>>>> RSRack1SW2#sh run | b line vty
>>>>>>> line vty 0 4
>>>>>>> password cisco
>>>>>>> login authentication VTY_LINE
>>>>>>> line vty 5 15
>>>>>>> password cisco
>>>>>>> login authentication VTY_LINE
>>>>>>> !
>>>>>>> end
>>>>>>>
>>>>>>> RSRack1SW2#sh ip int brief | in Loop
>>>>>>> Loopback0 150.1.8.8 YES NVRAM up
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> up
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1SW2#telnet 150.1.8.8
>>>>>>> Trying 150.1.8.8 ... Open
>>>>>>>
>>>>>>>
>>>>>>> ! -_- NO LOGIN PROMPT -_-
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> RSRack1R3#c
>>>>>>> Enter configuration commands, one per line. End with
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> CNTL/Z.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1R3(config)#aaa new-model
>>>>>>> RSRack1R3(config)#aaa authentication login VTY_LINE
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> line
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1R3(config)#line vty 0 15
>>>>>>> RSRack1R3(config-line)# password cisco RSRack1R3(config-line)#
>>>>>>> login authentication VTY_LINE RSRack1R3(config-line)#
>>>>>>> RSRack1R3(config-line)# RSRack1R3#t *Mar 1 17:10:57.675:
>>>>>>> %SYS-5-CONFIG_I: Configured from
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> console by console
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RSRack1R3#telnet 150.1.3.3
>>>>>>> Trying 150.1.3.3 ... Open
>>>>>>>
>>>>>>>
>>>>>>> User Access Verification
>>>>>>>
>>>>>>> Password:
>>>>>>>
>>>>>>> RSRack1R3#sh ver | in IOS
>>>>>>> Cisco IOS Software, 3600 Software (C3640-JK9O3S-M),
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Version 12.4(5a),
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> RELEASE SOFTWARE (fc3)
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART