con and telnet login authenticated against ACS

Answered Question
Dec 4th, 2007
User Badges:

i forgot to configure fall back authentication method, and the above authentication does not work. How can restore the switch to no authentication?

Thank you.

Correct Answer by ccbootcamp about 9 years 4 months ago

yes, you need to follow the instructions with pressing the mode button upon plugging in the power. follow the instructions here:


(please rate the post if this helps!)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)

I believe you are saying you implemented TACACS or password authentication before you enabled a password enable or secret. You can try a password recovery, link is below. The AAA command no aaa new-model will disable aaa authentication.

To disable AAA, use the no aaa new-model global configuration command. To disable 802.1X AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1X authentication, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command.


333maomao Tue, 12/04/2007 - 19:39
User Badges:

I cannt login into the switch at the moment, since i am prompted for username/password at both console and telnet session because i enaled aaa authentication using command "login authentication " on line con and line vty 0-4. [This authentication method turns out does NOT work, unfortunately i did not define one fall back method should ACS fails:(]

I tried password recovery, but it didn't remove the console&telnet aaa authentication.

Another way i can connect to switch 3560 is through http(to be honest, i never used it), however it requires username/password, does anyone know the default username/password for http access to 3560? Thank you.

Richard Burts Tue, 12/04/2007 - 19:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I do not believe that there is any default username/password on the 3560.

I am not entirely clear from the original description whether you have configured a local userID and whether you have configured an enable password/secret? If you have configured both a user ID and an enable password/secret, then you should try to point your web browser at the address of the 3560. Assuming that you are prompted, then enter the user ID that you configured and the enable password/secret.

If that does not work, then I would like to understand better what it means when you said that you tried password recovery but it didn't remove the console & tlenet aaa authentication. If password recovery works, then it should leave the 3560 with no config (especially no aaa authentication), and if you copied the startup config into running config then you should have been in a position to remove the aaa authentication.



bvsnarayana03 Tue, 12/04/2007 - 20:28
User Badges:
  • Silver, 250 points or more

If you have set the password by recovery method, then you should be able to login to the router provided the ACS server is disconnected from network or you remove this routers entry from ACS. In absence of communication with ACS, router permits to login with locally assigned username & password even with aaa commands under telnet & console.

ccbootcamp Tue, 12/04/2007 - 21:21
User Badges:
  • Gold, 750 points or more

Password recovery will definitely work. We have people leave their configs like this (aka rack idiots who don't clean off their rack after use) on our remote rental racks on a regular basis. You need to power-cycle the switch, hold done the mode button, and boot to no config. Copy over the startup config to the running config, and make your AAA config modifcations. Then save your config to NVRAM.


(please rate the post if this helps!)

333maomao Tue, 12/04/2007 - 22:34
User Badges:


your solution is so close to solve my issue,however password recover failed on me, maybe because "booting manually" is enabled on my 3560.

I managed to login into 3560 via http, however very limited configuration you can do through http. You can not even reset switch to factory default through http. Is there any hidden way to reset the switch to factory default?

Thank you.


This Discussion