Misconfigured AAA, NOW cant login

Unanswered Question
Jul 30th, 2003
User Badges:

Hi


i have got myself locked out of my router. All devices on the network have to access the TACACS server for authentication and authorisation. However i think i misconfigured the router and now i cant login... as i get the login prompt but the athentication failed. Is there any way i can be able to login again ? I have tried using the console but still the same problem.


Thanks

KM

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
deilert Wed, 07/30/2003 - 04:08
User Badges:
  • Silver, 250 points or more

Can you paste in the the latest config


you have a few options

1. power cycle the box if you have not done a wr mem

2. use SNMP to remove TACACS config

3. go into the directly connected router(s) and put on an ACL that blocks port 49

access-list 100 deny udp any any eq 49

access-list 100 permit ip any any


apply it on the directly connected interface


after this the when you telnet to the router that is hosed you should be prompted for the PW of last resort .

mtnuga Wed, 07/30/2003 - 05:11
User Badges:


Hi


I have tried what you advised. i logged on to the directly connected router, created an Access list blocking UDP port 49 through from source 10.151.0.46.. which is the router i have problems logging in.


access-list 100 permit ip any any

access-list 100 deny udp host 10.151.0.46 eq tacacs any



i then applied that filter to the interface the 10.151.0.46 is connected to,


interface Serial2/1:0

description Link_To_Jinja

ip address 10.151.0.45 255.255.255.252

ip access-group 100 in

ip access-group 100 out

no ip directed-broadcast



tried to telnet (from 10.151.0.45 to 10.151.0.46 ) but still get the error message below...


RC_3640_01_UGS#10.151.0.46

Trying 10.151.0.46 ... Open


% Authentication failed.


[Connection to 10.151.0.46 closed by foreign host]



Maybe i am missing something out that you can highlight on..


Thank you for your help


MK






deilert Wed, 07/30/2003 - 05:18
User Badges:
  • Silver, 250 points or more

The ACL has the permit before the deny , you need to have the deny first followed by the permit



access-list 100 deny udp host any eq tacacs any

access-list 100 permit ip any any



If you are using ip tacacs source statement this is the IP that needs to be in the deny statement or you can use any any



Also if the router has more than one connection to it you need to apply the ACL on those interfaces also

hbaerten Wed, 07/30/2003 - 05:22
User Badges:
  • Bronze, 100 points or more

Hi MK,


you have not copied the acl exactly. It should be


access-list 100 deny udp any any eq 49

access-list 100 permit ip any any


hth

Herbert

mtnuga Wed, 07/30/2003 - 23:09
User Badges:


Hi guys,


I tried appling filters on the directly connected router but i still have the same problem, and yes i put the deny before the permit.


Any other way of going about this ? Please help


MK

deilert Thu, 07/31/2003 - 04:10
User Badges:
  • Silver, 250 points or more

Can you paste in the config of the router with the AAA problem ? Is there only 1 directly connected router ?

Actions

This Discussion