Can't get into router

Unanswered Question
Nov 17th, 2008


I need a couple of tricks if you have any. I have a radius server that authenticates logins for our routers. Over the weekend, I sent a new router to a branch. I can log into the router and get the ">" prompt, but when I try to do enable I get "% Error in Authentication."

I've tried to console in via remote control of computer logged in with the same thing. I shut off the radius server over the weekend, and I can log into the router with the local account, but the local account doesn't have a privilege level set, so I get the same problem.

Now what I wanted to try is to get the router to roll over to the local account WHILE the radius server is up. I removed the entries from my radius server for that router, but it still can "see" the radius server, so I can't log into the router with the local account.

Any tricks to getting this thing to roll over without bringing the radius service down?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Richard Burts Mon, 11/17/2008 - 08:05


If you have removed the configuration for the client router from the server I would think that even though the client can send an authentication request to the server that the server would reject it with an unknown client type response. I would have thought that response would allow the remote router to fall back to local authentication (and it has been my experience with TACACS that it does).

But if that is not working then I wonder if it is possible to set up a filter (access list or whatever) between the remote router and the server that would deny authentication requests from that remote router to that server? If the request is dropped then there is no response from the server and the remote router should fall back to local authentication.



John Blakley Mon, 11/17/2008 - 09:01


Here's what I did to fix it: (man, I'm glad I got it to work.)

I removed the branches IP addresses from the radius server completely. Then I had the local person console into the router, and I took control of his machine. Fortunately, I didn't have restrictions on the console port, and I was able to get into it that way.

It was missing the enable password in the config, and after I put that in, the world was fine. :-)

Thanks for your suggestion! I really appreciate it!


Richard Burts Mon, 11/17/2008 - 09:10


Thanks for posting back and indicating that you had solved the problem, with what the problem was and how you fixed it. It makes the forum more useful when people can read about a problem, and can read what was done that successfully resolved the problem.

It is an easy think to do to neglect to configure an enable password. And with no enable password (and no privilege level configured on the vty) the only way into privilege mode is via the console. You found a creative way to solve your problem. Congratulations.




This Discussion