Lost access to the IOS device

Unanswered Question
Jun 9th, 2008
User Badges:

Is there anyway to get into the device when you don't have local user defined and you have lost TACACS server? I'm in the situation where I have lost TACACS server and there is no localuser defined in the device. I console into it and I get the username prompt but device is unable to talk to TACACS server. I'm trying options other than doing a password recovery which requires reboot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pravin Phadte Mon, 06/09/2008 - 06:10
User Badges:
  • Silver, 250 points or more

There are snmp tools which can be used.


Solarwinds is one of them where you can use the ip address of the device and SNMP string RW is what you should know.


In this you can pull the config of the device. And then you can set a local username for console or vty as per your config or remove the tacacs config and log in to the device.this will be without any reboot.

nawas Mon, 06/09/2008 - 06:13
User Badges:

Unfortunately there is no ip connectivity to the device. Can I push snmp config through the console?

Pravin Phadte Mon, 06/09/2008 - 06:17
User Badges:
  • Silver, 250 points or more

I am soory that would not be possible through console.

Richard Burts Mon, 06/09/2008 - 07:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nawaz


If the console is prompting for a user name to authenticate but there is no user defined, and if there is no ip connectivity so telnet is not possible, then I am not sure that there is any alternative to doing password recovery.


I am a little puzzled about the situation. You are reluctant to do password recovery because it requires a reboot, which would seem to indicate that it is a live functioning router that you do not want to disturb. But if I understand the post right there is no IP connectivity. How can there be no IP connectivity if it is a live functioning router? Or how could there be no IP connectivity and no telnet capability if there is IP connectivity? Perhaps you could explain more about your situation?


HTH


Rick

nawas Mon, 06/09/2008 - 07:27
User Badges:

I know it is an interesting situation, let me explain you what happended, it is a layer2 switch in the vtp transparent mode and it is working fine except I accidently removed the management vlan from the switch when trying to remove unused vlans. Now I'm in the situation that I can't telnet/ssh to the switch because mgmt vlan (vlan 600) is not active in the switch therefore it is unable to talk to TACACS server. I can't access via console because it asks for the username/password and unfortunately no localuser defined. It is live and working because all other vlan are there.

Pravin Phadte Mon, 06/09/2008 - 07:31
User Badges:
  • Silver, 250 points or more

Hi nawas,


Is there any ip address that is been configured for vlan1 or any other vlan that you are able to ping from the network ?


Have you also tried to log in from the switch or the router which is connected to it ?


If in case you are able to ping any of the vlan ip address from the local lan then there can be a possiblity of adding the command back using snmp.


Let us know .

nawas Mon, 06/09/2008 - 07:46
User Badges:

I wish there was, there is only ip address configured in this switch, which is the mgmt ip in the vlan 600 and vlan 600 is no longer there. I don't think I have any other option but to do the password recovery.

Richard Burts Mon, 06/09/2008 - 07:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nawaz


With that explanation it makes a lot of sense. If it is a layer 2 switch that is functioning to forward at layer 2 on user VLANs but does not have a management address, and if access through the console is prompting for a username, then I believe that your only option is password recovery.


HTH


Rick

Actions

This Discussion