10-21-2009 01:46 AM - edited 03-04-2019 06:27 AM
I copied (with scp) the startup-config about my router and I modified it. I deleted old username line and i added a new. Then I send to the new startup-config to router with scp and I reloaded it. But I still login with old username.
I checked running-config and startup-config and old username line does not figure in these files. I switch off/on power, but it did not use.
Can somebody help me?
Where stores the username in Cisco filesystem? How can i view and fix it?
Some datasheed: Cisco Router 7200; Cisco IOS version 12.2(31)SB11
Thank you for the help to everybody.
Solved! Go to Solution.
10-23-2009 11:10 AM
Janos
I am glad that you understand it now and that my explanation was helpful. Understanding how authentication works, especially with backup methods, can be a bit tricky but is an important thing to understand.
HTH
Rick
10-21-2009 05:27 AM
Check, you might be using a radius server.
10-21-2009 05:41 AM
I don't use radius server. I use local username database.
10-21-2009 06:10 AM
Then there is no logical explanation to your problem.
10-21-2009 08:23 AM
Janos
I agree with Paolo that this is very strange. Perhaps if you post the config of the router we might figure out what is causing this behavior.
HTH
Rick
10-21-2009 11:33 PM
OK, I post the config of router. I cut the private datas (as ACL lists, etc..).
I think that, Somehow the IOS saved the local userdatabase to NVRAM or Flash disk. Do you say anything that I can check it? Maybe I should try erase NVRAM.
!
upgrade fpd auto
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname gw1
!
boot-start-marker
boot-end-marker
!
logging buffered 64000 debugging
no logging console
enable secret 5 xxxxxx
!
aaa new-model
!
aaa authentication login default local enable
aaa authorization console
aaa authorization exec default local if-authenticated
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 200
ip icmp rate-limit unreachable DF 200
ip spd mode aggressive
ip cef
!
ip tcp selective-ack
ip tcp synwait-time 5
ip tcp path-mtu-discovery
no ip domain lookup
ip domain name naviextras.com
no ip dhcp use vrf connected
!
no ip bootp server
ip scp server enable
!
!
call rsvp-sync
no scripting tcl init
no scripting tcl encdir
!
no file verify auto
username admin privilege 15 secret 5 xxxxxxx
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip policy route-map PBR
media-type sfp
speed auto
duplex auto
negotiation auto
vrrp 1 ip x.x.x.x
vrrp 1 priority 110
vrrp 1 authentication text xxxx
vrrp 1 track 100 decrement 20
vrrp 1 track 101 decrement 20
vrrp 1 track 102 decrement 20
!
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.252
ip access-group acl_out_to_in in
no ip redirects
no ip unreachables
no ip proxy-arp
media-type sfp
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/2
description **** Not used ****
no ip address
shutdown
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/3
description **** Not used ****
no ip address
speed auto
duplex auto
negotiation auto
!
router bgp 65503
no synchronization
bgp router-id x.x.x.x
bgp log-neighbor-changes
network x.x.x.x mask 255.255.255.0
neighbor T-ONLINE peer-group
neighbor T-ONLINE remote-as 15545
neighbor T-ONLINE password 7 xxxxxxx
neighbor T-ONLINE version 4
neighbor T-ONLINE soft-reconfiguration inbound
neighbor T-ONLINE prefix-list t-online-in in
neighbor T-ONLINE prefix-list t-online-out out
neighbor 84.2.38.225 peer-group xxxxxx
neighbor 84.2.38.225 description **** ****
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
no ip http server
!
no cdp run
!
route-map PBR permit 10
match ip address 100
set ip next-hop 84.2.38.225
!
snmp-server community liveservice RO
!
control-plane
!
dial-peer cor custom
!
gatekeeper
shutdown
!
alias exec c conf t
alias exec s sho run
alias exec e exit
alias exec w wri
alias exec r sho ip route
alias exec i sho ip interface brief
alias exec t term mon
alias exec bgp sho ip bgp
alias exec u undeb all
!
line con 0
logging synchronous
history size 50
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class vty_access in
transport input ssh
transport output ssh
line vty 5 15
access-class vty_access in
transport input ssh
transport output ssh
!
monitor event-trace cef ipv4 size 5000
ntp clock-period 17179796
ntp server 192.5.41.41
ntp server 148.6.0.1
ntp server 192.5.41.40
ntp server 193.67.79.202 prefer
ntp server 193.204.114.231
end
10-22-2009 01:45 AM
How can I list local userdatabase on router, if it is possible?
10-22-2009 04:20 AM
Janos
The config that you posted was helpful and I believe that I understand what is happening. The config includes this line:
aaa authentication login default local enable
and the effect is that when you login the router will prompt you for name and password. It will check to see if the user name you entered is in the local user database and if it is not in the local database the router will authenticate you if you used the enable password.
So my guess is that you are logging in with some other user ID and with the enable password. Is that the case?
HTH
Rick
10-22-2009 10:41 AM
Hy,Rick
Yes, this is my problem.
I can login whit old user name and enable password nevertheless that I deleted it one week ago. And I don't understand it.
Can you help me? How I can delete it full?
Thank you
10-22-2009 11:08 AM
Janos
I attempted to explain it, but apparently you did not understand my explanation. The way that you have configured it, the router will allow login with any user name as long as you use the enable password. If you do not like that then you need to change the configuration. If you change this:
aaa authentication login default local enable
to this:
aaa authentication login default local
then it will allow login only using the configured user name.
The router is doing exactly what the config tells it to do (and allows login using any user name if they use the enable password). If you do not like that behavior then change the config.
HTH
Rick
10-23-2009 10:23 AM
Rick
I understand it by now.
I will fix it in the config of router next week.
Thank you very much for your help.
10-23-2009 11:10 AM
Janos
I am glad that you understand it now and that my explanation was helpful. Understanding how authentication works, especially with backup methods, can be a bit tricky but is an important thing to understand.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: