aaa new-model

Unanswered Question
Nov 24th, 2008

One of my colleague accidently entered "aaa new-model" in device and the device got locked since no username/password was configured on the device. Now the device is locked and we can't login. Its a core device. Please let me know how to resolve this issue without a reboot.

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
rajivrajan1 Mon, 11/24/2008 - 23:04

1. Is it possible for you to connect console and try - console should atleast work.

if it fails

2.Do u have snmp R/W enabled on that device - is that responding to snmpwalk ?

aneesh.ts Tue, 11/25/2008 - 01:46

We have snmp read-write strings configured on the device and we have Infovista installed.

any idea how we change device configuration using Infovista?

Thanks in advance

AneesH

rajivrajan1 Tue, 11/25/2008 - 03:41

hi AneesH,

Im not sure abt infovista - possibly some billing solution i beleive.

1.I will strongly recommend you to try from console before doing the following snmp method.

2.For this You need a tftp server ( reachable from device which u r trying to change password.)

so a snmpwalk with ur r/w string to device and make sure it responds.

then

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.2.83119 i 1

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.3.83119 i 4

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.4.83119 i 1

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.5.83119 a

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.6.83119 s

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.14.83119 i 1

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.3.83119 i 1

snmpset .1.3.6.1.4.1.9.9.96.1.1.1.1.4.83119 i 4

usage guide lines :

1 Replace the respective <>s

2 first 5 lines will set the parameters

3. sixth line is run - it will start copying ur run config to tftp server (application should be running)

Now change the password the config file by some notepad / wordpad ( no aaa new model)

4.7th and 8th line will change the sequence ( tftp to run)

Note : may give error - wait for 5 mins to get the session expire.

5run the 6th line again - < run >

now it will copy the tftp config to router -

CAUTION : DOnt change anything else in which u may lose the device apart from password.

once have logged in dont' forget to write the config

;)

Enjoy.

mahmoodmkl Tue, 11/25/2008 - 04:31

Hi

If u have solarwinds engineers edition u can do it by using the snmp r/w string.

use config viewer from the tools to download the running-config or just upload the config into the device like

conf t

no aaa new-model

Thanks

Mahmood

aneesh.ts Tue, 11/25/2008 - 21:40

We don't have Solar winds or Kiwi cat tool installed.

We have tftp running on a solaris machine here. we tried snmp set from that. its not working. snmp walk worked. we suspect its some issue with OID or MIBs.

Router IOS version would be c7600s72033_rp-ADVIPSERVICES-M

Kindly find my queries below.

1. We don't have MIBS loaded in our TFTP server. So will it work with OIDs in snmp set command

2. SNMP and TFTP servers are different(have different ip addresses also). Router is configured to send snmp traps to snmp servers only, not tftp server. we are trying snmp set from tftp server which is not configured under "snmp serverhost" command.

Requesting your valuable suggestions on the above mentioned points.

Thanks in advance.

rajivrajan1 Tue, 11/25/2008 - 21:55

1 . MIB are not required as u r using direct IODs

2.SNMP client ( in this case router is the SNMP server) TFTP can be different.doesnt 't matter it should work.

now please let us know

what is the error ur getting when u try to do snmpset?

is it possible for u to attcha a screen shot ?

aneesh.ts Wed, 11/26/2008 - 04:41

Hi all,

Issue is resolved now. We were able to do it from tftp server using the snmpset feature.

To summarise what we did today for everyone, we attempted to unset 'aaa new-model' from the config via SNMP.

First, we created a new file in /var/tftp/ called 'no_aaa'. The contents of this file were :

--

no aaa new-model

user test pass 0 test

--

Once this was done, we then issued the following command:

snmpset -t 60 -c RW_STRING ROUTER_NAME .1.3.6.1.4.1.9.2.1.53.X.X.X.X s no_aaa

Where

RW_STRING - Read/Write SNMP community string ROUTER_NAME - The hostname or IP of the router X.X.X.X - The IP address of the TFTP Server.

One thing to be noted here is that the snmp write string had special characters like $ @ etc. so we used 'RW_STRING' so that RW_STRING is taken as a single string. when '' were not there we were getting Invalid syntax error message.

thank you very much for everyone who helped me resolve this issue...

r-tyrell Tue, 06/02/2009 - 10:46

I wanted to say thanks for this post. It bailed me out big time. We had done a configuration recovery from CiscoWorks to one of our switches. I downloaded a backup configuration from RME, TFTP'd it to the switch and configured it as the startup configuration. What I did not know was that as a security measure CiscoWorks ******** all the passwords, snmp community strings, tacacs key etc. After uploading the config with ******** I lost access to the switch because no usernames got installed. I used your method in conjunction with the CiscoWorks SNMPSET command located in Device Center to remove the aaa group and add a username and password. If anyone locks them self out of a switch but still has snmp access, this method is awesome!

I had opened a TAC case and it got reassigned three times before I finally figured out how to do it myself.

Thanks again,

-Rick

Actions

This Discussion