3005 Concentrator Administrator Locked Out

admin_2 · ‎02-08-2008

3005 running 4.7 code. I can log in via console as admin, but not telnet or https. I have verified:

1. telnet access is allowed

2. https access is allowed

3. there are no Admin AAA servers

4. range that I am attempting https and telnet access from are allowed in manager workstation list

I can access https, but when I attempt to log in, it says invalid login.

There are Authentication Servers set up in the system menu to be used by users and clients, but I didn't think that it applied to administrators for the concentrator itself. If this is what is happening, where can I tell the concentrator NOT to use AAA servers for administrators of the concentrator itself? BTW, I have set up the admin account to have level 15 access.

Thanks in advance for any recommendations.

Brandon Buffin · ‎02-08-2008

Setting up Authentication servers does not apply to the local admin login. Take a look at the following document regarding password recovery.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml

Hope this helps. If so, please rate the post.

Brandon

JORGE RODRIGUEZ · ‎02-08-2008

Hi, I suspect it may not be a password recovery issue as you are indicating you can login as an admin with password credentials through the console but not https or telnet.

What I believe you need to do is instruct vpn concentrator what IP addresses are allowed to connect to the vpn concentrator via telnet of https or http for that matter, you indicated have already https and telnet is already allowed but try going to the administration section access control list and tell concentrator by adding the ip addresses or subnet that are allowed to https and telnet to the device.

console to vpn and login as admin.

Go to

1- Administration

2- Access Control List

in access control list select add, then in the field window add the ip address you want to allow or a subnet.. say you want to allow a subnet 10.3.4.0/25 then add 10.3.4.0 and 24 but mask for the subnet field to match the 1st three octects etc.., place the subnet in the GROUP-1 which is admin group.

If you want to allow just selected IP addresses instead of subnet say host 10.3.4.100 and 10.3.4.101 then add a new entry for each of the ip addresses and use 32 but mask in the subnet field to match every octed and place them in admin group-1... try this and see if that works..

Rgds

Jorge

Jorge Rodriguez

Report Inappropriate Content · ‎02-15-2008

I found out what the issue was. I had SSL client authentication enabled under the HTTPS settings under SSL/Tunneling and Security settings. This required a personal certificate installed in the browser, and a trusted certificate installed in the server. For this authentication to work, the VPN Concentrator must have a root CA certificate installed; and a certificate signed by one of the VPN Concentrator's trusted CAs must be installed in the web browser on the PC you are using to manage the VPN Concentrator.

So I disabled this, and now I can connect via https.

Hopefully this post will save someone time in the future with figuring this out! Thanks to all who replied to this post.