10-05-2009 12:23 PM - edited 03-04-2019 06:15 AM
Hi All,
Any idea? After clean up all routers and switches config files, sw3 still asks for radius username and password.
When console login and using 3550 password recovery procedure, it still asks for username and password.
When config aaa new-model, no username is asked only the passowrd cisco in typed in. (please see detail config file in the following)
Note: This is for CCIE R&S home lab rack.
==========
// radius server locks sw3
Access-Server#9
[Resuming connection 9 to sw3 ... ]
User Access Verification
Username:
Username: cisco
Password:
% Backup authentication
00:27:36: %RADIUS-4-RADIUS_DEAD: RADIUS server 150.100.1.254:1645,1646 is not responding.
00:27:36: %RADIUS-4-RADIUS_ALIVE: RADIUS server 150.100.1.254:1645,1646 has returned.
Username:
===========
sw3#sh run
Building configuration...
Current configuration : 4655 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw3
!
!
aaa new-model
aaa authentication dot1x default group radius
!
aaa session-id common
mls qos
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
!
!
dot1x system-auth-control
dot1x guest-vlan supplicant
no file verify auto
!
!
interface FastEthernet0/11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/12
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/13
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/14
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/15
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/16
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/17
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/18
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
!
interface FastEthernet0/19
switchport mode dynamic desirable
channel-group 1 mode desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
channel-group 1 mode desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
channel-group 2 mode desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
channel-group 2 mode desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip http server
ip http secure-server
!
radius-server host 150.100.1.254 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco
10-05-2009 12:38 PM
I'm not quite sure what your end result is, are you trying to use Radius or not?
Once you enable aaa new-model, you have to specify the login method, if you are only using teh radius for dot1x and not console access, then you would want:
make sure you have a user/pass set
aaa authentication login default local
If you WANT to use the radius to authenticate:
aaa authentication login default local group radius
That will let you have a "backup" so if your radius fails, you can get in using the local group.
It's typical for people to lock themselves out when doing their dot1x labs for their CCIE's :) Don't sweat it.
HTH,
Craig
10-05-2009 02:12 PM
Thanks Craig for the help.
What is local group? How to get back in the switch? I don't know the username except I know I type in password: cisco.
Please kindly show me how to log back in the switch.
10-05-2009 02:14 PM
try to do password recovery per cisco doc, but config.text file is missing from flash dir:
switch: dir flash:
Directory of flash:/
2 -rwx 5276
3 -rwx 0
4 -rwx 7131928
5 drwx 64
24 -rwx 326
7 drwx 192
26 -rwx 24
10-05-2009 02:17 PM
Cisco Catalyst Fixed Configuration Layer 2 and Layer 3 Switches
10-05-2009 02:45 PM
// this is fixed, per this doc:
Note: I need to rename "private-config.text" in my sw flash dir for config.text.
Thanks Craig for the enlightment of the issue.
10-05-2009 03:12 PM
Glad you got it worked out!
The "local group" is actually 2 seperate pieces to the aaa syntax;
aaa authentication
default
local
group radius
those are how they are actually grouped, the "group radius" portion just specifies to use all of the radius servers in the group, the group is defined when you put the radius host ip information in.
The "local" just specifies to look at the local user / password, if you changed the order and put local after the radius, then it would look at the radius first, then the local if the radius failed.
HTH,
Craig
10-05-2009 03:44 PM
// thanks Craig. I do the lab for many times without being locked out of switch. No sure why it is locked out by radius server this time.
Is there anyway we can specify username for aaa new-model to prevent being locked out of switch again.
Also, this would a good point for CCIE lab troubleshoot section after 10/18/09 lab change: 3550/60 password recovery.
aaa new-model
aaa authentication dot1x default group radius
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
radius-server host 150.100.1.254 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco
10-05-2009 07:20 PM
Replied by: jeye - Network Consulting Engineer, Cisco Systems, Inc., CCIE - Oct 5, 2009, 1:23pm PST
Have you use no aaa new-model
or
del flash:/config.text?
no aaa new-model should remove the authentication and del flash:/config.text should wipe the switch clean except the VLAN database.
Regards,
jerry
10-05-2009 07:22 PM
1. no aaa new-model // I can't log in sw
2. del flash:/config.text // this should work.
10-05-2009 07:23 PM
Replied by: jeye - Network Consulting Engineer, Cisco Systems, Inc., CCIE - Oct 5, 2009, 3:52pm PST
If you reboot at this point, the switch should come up clean. Do you need to keep your config? Also, I see your cross post to the other forum. I will jump on the other one and consolidate the answer at one place.
Regards,
jerry
10-05-2009 07:24 PM
Replied by: dchen0999 - , Warner Music Group - Oct 5, 2009, 3:56pm PST
Thanks Jerry.
BTW: rebooting sw won't help.
// this is fixed, per this doc:
Note: I need to rename "private-config.text" in my sw flash dir for config.text.
10-06-2009 05:27 AM
I was really confused for aminute there, is there more than one person using that account?
If you remove the aaa authentication, you need to specify "login" under your con 0, or vty 0 15, this will prompt you for a password, if you want to use a username and password, use "login local" under your vty / con 0
HTH,
Craig
10-06-2009 08:41 AM
Thanks Craig. Will check it out when I run across this lab next time.
Thanks everyone for the help and have a nice day.
10-06-2009 09:06 AM
per cisco doc,
Switch(config)# radius-server dead-criteria time 30 tries 20
Switch(config)# radius-server deadtime 60
// will it be this line to specify username/password
Switch(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username
user1 idle-time 30 key abc1234
Switch(config)# dot1x critical eapol
Switch(config)# dot1x critical recovery delay 2000
Switch(config)# interface gigabitethernet 0/1
Switch(config)# radius-server deadtime 60
Switch(config-if)# dot1x critical
Switch(config-if)# dot1x critical recovery action reinitialize
Switch(config-if)# dot1x critical vlan 20
Switch(config-if)# end
Switch(config)# aaa new-model
Switch(config)# aaa authentication login default group radius
Switch(config)# aaa authorization auth-proxy default group radius
Switch(config)# radius-server host 1.1.1.2 key key1
Switch(config)# radius-server attribute 8 include-in-access-req
Switch(config)# radius-server vsa send authentication
Switch(config)# ip device tracking
Switch(config) end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide