Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
2
Replies

AAA Misconfig

ergonullu
Level 1
Level 1

‎03-10-2009 06:56 AM - edited ‎03-04-2019 03:52 AM

Hello All

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

was the lines that I had to enter but I missed the second line.Router asks me an user name and password but it does not accept my user name and password (console telnet and enable passswords also locally defined and being tried not working)

Any idea how to get into the router?

(Besides restarting, remotely)

Thx

Ersin

Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎03-10-2009 07:31 AM

Did you configure a tacacs server? If not, it should roll over to the line password on the vty. Although, you should have went under your vty line and added "login authentication default" for it to check your AAA lines. (It may just have a password on the line.)

If you configured your tacacs server and the server is responding, it won't rollover to the next authentication method. You'll need to configure your login information on the tacacs server. I don't use tacacs, but if it's anything like radius, you'll have to tell the tacacs server the client address (the router address), and you'll need your username and password listed in tacacs, or have tacacs authenticate to something else: ldap, AD, etc.

I would just reload and start from scratch; it may be the easiest thing to do.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-10-2009 08:08 AM

Hello Ersin,

when testing AAA the following suggestions:

never save the config before end of test

have a primary session that you never close

test by opening a new telnet session to the same device

I would use a named AAA method :

default method is applied automatically to line vty

example

aaa authentication login AAAlogin group tacacs+ line

so then you can add only to line vty

line vty 0 4

login authentication AAAlogin

in this way you don't lose the console

you need to break ip connectivity with the tacacs server if possible without losing ip connectivity to the device I was able to recover in some cases using this method (a /32 static route to null0 for the ip addres of the router on the next device to tacacs server to block return traffic from tacacs)

OR

you can contact the tacacs+ server administrator and apply for a valid account (username and password) that you need to test the solution after all

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card