cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
8
Replies

Lost access to the IOS device

nawas
Level 4
Level 4

Is there anyway to get into the device when you don't have local user defined and you have lost TACACS server? I'm in the situation where I have lost TACACS server and there is no localuser defined in the device. I console into it and I get the username prompt but device is unable to talk to TACACS server. I'm trying options other than doing a password recovery which requires reboot.

8 Replies 8

Pravin Phadte
Level 5
Level 5

There are snmp tools which can be used.

Solarwinds is one of them where you can use the ip address of the device and SNMP string RW is what you should know.

In this you can pull the config of the device. And then you can set a local username for console or vty as per your config or remove the tacacs config and log in to the device.this will be without any reboot.

Unfortunately there is no ip connectivity to the device. Can I push snmp config through the console?

I am soory that would not be possible through console.

Nawaz

If the console is prompting for a user name to authenticate but there is no user defined, and if there is no ip connectivity so telnet is not possible, then I am not sure that there is any alternative to doing password recovery.

I am a little puzzled about the situation. You are reluctant to do password recovery because it requires a reboot, which would seem to indicate that it is a live functioning router that you do not want to disturb. But if I understand the post right there is no IP connectivity. How can there be no IP connectivity if it is a live functioning router? Or how could there be no IP connectivity and no telnet capability if there is IP connectivity? Perhaps you could explain more about your situation?

HTH

Rick

HTH

Rick

I know it is an interesting situation, let me explain you what happended, it is a layer2 switch in the vtp transparent mode and it is working fine except I accidently removed the management vlan from the switch when trying to remove unused vlans. Now I'm in the situation that I can't telnet/ssh to the switch because mgmt vlan (vlan 600) is not active in the switch therefore it is unable to talk to TACACS server. I can't access via console because it asks for the username/password and unfortunately no localuser defined. It is live and working because all other vlan are there.

Hi nawas,

Is there any ip address that is been configured for vlan1 or any other vlan that you are able to ping from the network ?

Have you also tried to log in from the switch or the router which is connected to it ?

If in case you are able to ping any of the vlan ip address from the local lan then there can be a possiblity of adding the command back using snmp.

Let us know .

I wish there was, there is only ip address configured in this switch, which is the mgmt ip in the vlan 600 and vlan 600 is no longer there. I don't think I have any other option but to do the password recovery.

Nawaz

With that explanation it makes a lot of sense. If it is a layer 2 switch that is functioning to forward at layer 2 on user VLANs but does not have a management address, and if access through the console is prompting for a username, then I believe that your only option is password recovery.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco