username problem in cisco 7200 router

Answered Question
Oct 21st, 2009
User Badges:

I copied (with scp) the startup-config about my router and I modified it. I deleted old username line and i added a new. Then I send to the new startup-config to router with scp and I reloaded it. But I still login with old username.

I checked running-config and startup-config and old username line does not figure in these files. I switch off/on power, but it did not use.

Can somebody help me?

Where stores the username in Cisco filesystem? How can i view and fix it?

Some datasheed: Cisco Router 7200; Cisco IOS version 12.2(31)SB11


Thank you for the help to everybody.


Correct Answer by Richard Burts about 7 years 5 months ago

Janos


I am glad that you understand it now and that my explanation was helpful. Understanding how authentication works, especially with backup methods, can be a bit tricky but is an important thing to understand.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Paolo Bevilacqua Wed, 10/21/2009 - 05:27
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Check, you might be using a radius server.

bozsikjanos Wed, 10/21/2009 - 05:41
User Badges:

I don't use radius server. I use local username database.

Paolo Bevilacqua Wed, 10/21/2009 - 06:10
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Then there is no logical explanation to your problem.

Richard Burts Wed, 10/21/2009 - 08:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Janos


I agree with Paolo that this is very strange. Perhaps if you post the config of the router we might figure out what is causing this behavior.


HTH


Rick

bozsikjanos Wed, 10/21/2009 - 23:33
User Badges:

OK, I post the config of router. I cut the private datas (as ACL lists, etc..).

I think that, Somehow the IOS saved the local userdatabase to NVRAM or Flash disk. Do you say anything that I can check it? Maybe I should try erase NVRAM.


!

upgrade fpd auto

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname gw1

!

boot-start-marker

boot-end-marker

!

logging buffered 64000 debugging

no logging console

enable secret 5 xxxxxx

!

aaa new-model

!

aaa authentication login default local enable

aaa authorization console

aaa authorization exec default local if-authenticated

!

aaa session-id common

clock timezone CET 1

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip icmp rate-limit unreachable 200

ip icmp rate-limit unreachable DF 200

ip spd mode aggressive

ip cef

!

ip tcp selective-ack

ip tcp synwait-time 5

ip tcp path-mtu-discovery

no ip domain lookup

ip domain name naviextras.com

no ip dhcp use vrf connected

!

no ip bootp server

ip scp server enable

!

!

call rsvp-sync

no scripting tcl init

no scripting tcl encdir

!

no file verify auto

username admin privilege 15 secret 5 xxxxxxx

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

no ip address

shutdown

speed auto

duplex auto

!

interface GigabitEthernet0/0

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip policy route-map PBR

media-type sfp

speed auto

duplex auto

negotiation auto

vrrp 1 ip x.x.x.x

vrrp 1 priority 110

vrrp 1 authentication text xxxx

vrrp 1 track 100 decrement 20

vrrp 1 track 101 decrement 20

vrrp 1 track 102 decrement 20

!

interface GigabitEthernet0/1

ip address x.x.x.x 255.255.255.252

ip access-group acl_out_to_in in

no ip redirects

no ip unreachables

no ip proxy-arp

media-type sfp

speed auto

duplex auto

negotiation auto

!

interface GigabitEthernet0/2

description **** Not used ****

no ip address

shutdown

speed auto

duplex auto

negotiation auto

!

interface GigabitEthernet0/3

description **** Not used ****

no ip address

speed auto

duplex auto

negotiation auto

!

router bgp 65503

no synchronization

bgp router-id x.x.x.x

bgp log-neighbor-changes

network x.x.x.x mask 255.255.255.0

neighbor T-ONLINE peer-group

neighbor T-ONLINE remote-as 15545

neighbor T-ONLINE password 7 xxxxxxx

neighbor T-ONLINE version 4

neighbor T-ONLINE soft-reconfiguration inbound

neighbor T-ONLINE prefix-list t-online-in in

neighbor T-ONLINE prefix-list t-online-out out

neighbor 84.2.38.225 peer-group xxxxxx

neighbor 84.2.38.225 description **** ****

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

no ip http server

!

no cdp run

!

route-map PBR permit 10

match ip address 100

set ip next-hop 84.2.38.225

!

snmp-server community liveservice RO

!

control-plane

!

dial-peer cor custom

!

gatekeeper

shutdown

!

alias exec c conf t

alias exec s sho run

alias exec e exit

alias exec w wri

alias exec r sho ip route

alias exec i sho ip interface brief

alias exec t term mon

alias exec bgp sho ip bgp

alias exec u undeb all

!

line con 0

logging synchronous

history size 50

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class vty_access in

transport input ssh

transport output ssh

line vty 5 15

access-class vty_access in

transport input ssh

transport output ssh

!

monitor event-trace cef ipv4 size 5000

ntp clock-period 17179796

ntp server 192.5.41.41

ntp server 148.6.0.1

ntp server 192.5.41.40

ntp server 193.67.79.202 prefer

ntp server 193.204.114.231

end

bozsikjanos Thu, 10/22/2009 - 01:45
User Badges:

How can I list local userdatabase on router, if it is possible?

Richard Burts Thu, 10/22/2009 - 04:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Janos


The config that you posted was helpful and I believe that I understand what is happening. The config includes this line:

aaa authentication login default local enable

and the effect is that when you login the router will prompt you for name and password. It will check to see if the user name you entered is in the local user database and if it is not in the local database the router will authenticate you if you used the enable password.


So my guess is that you are logging in with some other user ID and with the enable password. Is that the case?


HTH


Rick

bozsikjanos Thu, 10/22/2009 - 10:41
User Badges:

Hy,Rick


Yes, this is my problem.

I can login whit old user name and enable password nevertheless that I deleted it one week ago. And I don't understand it.


Can you help me? How I can delete it full?


Thank you

Richard Burts Thu, 10/22/2009 - 11:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Janos


I attempted to explain it, but apparently you did not understand my explanation. The way that you have configured it, the router will allow login with any user name as long as you use the enable password. If you do not like that then you need to change the configuration. If you change this:

aaa authentication login default local enable

to this:

aaa authentication login default local

then it will allow login only using the configured user name.


The router is doing exactly what the config tells it to do (and allows login using any user name if they use the enable password). If you do not like that behavior then change the config.


HTH


Rick

bozsikjanos Fri, 10/23/2009 - 10:23
User Badges:

Rick


I understand it by now.

I will fix it in the config of router next week.


Thank you very much for your help.



Correct Answer
Richard Burts Fri, 10/23/2009 - 11:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Janos


I am glad that you understand it now and that my explanation was helpful. Understanding how authentication works, especially with backup methods, can be a bit tricky but is an important thing to understand.


HTH


Rick

Actions

This Discussion