Production CAT6500 Locked Out

Unanswered Question
Jun 14th, 2009
User Badges:

Hi,


With the user admin, I deleted the enable secret from the configuration and did not add a new one and exited.


Now I can log in with admin user but upon doing 'enable' I get 'Error in Authentication'.


enable secret is still visible in the startup-config as I did not save the configs.


How can I activate the enable mode (Level 15) without doing any reboot etc.


I can however, get into the enable (Level 7) mode but unfortunately, 'config t' is restricted on Level 7.


Please assist.


Thanks a lot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mahmoodmkl Sun, 06/14/2009 - 22:31
User Badges:
  • Gold, 750 points or more

Hi


Do u have solarwinds u can modufy the config using SNMP string.


Thanks

Mahmood

tech_trac Sun, 06/14/2009 - 22:35
User Badges:

Yes. I do have SolarWinds. How can I modify the config/add the enable secret via SNMP from SolarWinds.


SNMP is configured for Read-Only string though.


Thanks

mahmoodmkl Sun, 06/14/2009 - 22:53
User Badges:
  • Gold, 750 points or more

Hi


U can configure using the config viewer utility but as u said u have only read only string then its not going to work.


R u not able to access the device even if connected from console..?


Thanks

Mahmood

tech_trac Sun, 06/14/2009 - 22:58
User Badges:


Currently, I can only ssh over IP network.


I will have to travel to the physical site for console access which is not at all a problem.


Would'nt the enable (Level 15) be restricted on console as well.


Thanks.





Edison Ortiz Mon, 06/15/2009 - 05:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you are using a TACACS+ server, you can assign privileges to Level 7 from the server itself so you can get into the configuration mode and make the necessary changes. Once the changes are made, you can revert the privileges on the server.


If you aren't using a TACACS+ server, the only suggestion is to reload. You can schedule a reload from the switch.


The console won't provide any additional access on this case.


__


Edison.

tech_trac Mon, 06/15/2009 - 06:34
User Badges:


Hi,


We are not using TACACS+ server. I tried from the console and it didn't ask for the enable password. And hence I was able to do the required changes.


Does removing all enable secrets from the configuration and removes the need to put in the enable password from the console.


Regards.

Edison Ortiz Mon, 06/15/2009 - 06:39
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, you can have either enable secret, enable password or both in the configuration.


It seems you were able to gain access from the console without a password prompt because you have 'no login' under line con 0.


http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_a1.html#wp1030077


On this case, it helped you solve the problem but it's not recommended to have this command in the config as it violates a security practice to secure the console.



__


Edison.

tech_trac Mon, 06/15/2009 - 21:49
User Badges:

Hi,


I checked the config and the line console 0 does not have 'no login' configuration.


What could be the other reason for enable to work without password.

Actions

This Discussion