03-10-2009 06:56 AM - edited 03-04-2019 03:52 AM
Hello All
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
was the lines that I had to enter but I missed the second line.Router asks me an user name and password but it does not accept my user name and password (console telnet and enable passswords also locally defined and being tried not working)
Any idea how to get into the router?
(Besides restarting, remotely)
Thx
Ersin
03-10-2009 07:31 AM
Did you configure a tacacs server? If not, it should roll over to the line password on the vty. Although, you should have went under your vty line and added "login authentication default" for it to check your AAA lines. (It may just have a password on the line.)
If you configured your tacacs server and the server is responding, it won't rollover to the next authentication method. You'll need to configure your login information on the tacacs server. I don't use tacacs, but if it's anything like radius, you'll have to tell the tacacs server the client address (the router address), and you'll need your username and password listed in tacacs, or have tacacs authenticate to something else: ldap, AD, etc.
I would just reload and start from scratch; it may be the easiest thing to do.
HTH,
John
03-10-2009 08:08 AM
Hello Ersin,
when testing AAA the following suggestions:
never save the config before end of test
have a primary session that you never close
test by opening a new telnet session to the same device
I would use a named AAA method :
default method is applied automatically to line vty
example
aaa authentication login AAAlogin group tacacs+ line
so then you can add only to line vty
line vty 0 4
login authentication AAAlogin
in this way you don't lose the console
you need to break ip connectivity with the tacacs server if possible without losing ip connectivity to the device I was able to recover in some cases using this method (a /32 static route to null0 for the ip addres of the router on the next device to tacacs server to block return traffic from tacacs)
OR
you can contact the tacacs+ server administrator and apply for a valid account (username and password) that you need to test the solution after all
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide