Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
7
Replies

Misconfigured AAA, NOW cant login

mtnuga
Level 1
Level 1

‎07-30-2003 03:58 AM - edited ‎03-02-2019 09:13 AM

Hi

i have got myself locked out of my router. All devices on the network have to access the TACACS server for authentication and authorisation. However i think i misconfigured the router and now i cant login... as i get the login prompt but the athentication failed. Is there any way i can be able to login again ? I have tried using the console but still the same problem.

Thanks

KM

Labels:
0 Helpful
7 Replies 7

deilert
Level 6
Level 6

‎07-30-2003 04:08 AM

Can you paste in the the latest config

you have a few options

1. power cycle the box if you have not done a wr mem

2. use SNMP to remove TACACS config

3. go into the directly connected router(s) and put on an ACL that blocks port 49

access-list 100 deny udp any any eq 49

access-list 100 permit ip any any

apply it on the directly connected interface

after this the when you telnet to the router that is hosed you should be prompted for the PW of last resort .

0 Helpful

mtnuga
Level 1
Level 1
In response to deilert

‎07-30-2003 05:11 AM

Hi

I have tried what you advised. i logged on to the directly connected router, created an Access list blocking UDP port 49 through from source 10.151.0.46.. which is the router i have problems logging in.

access-list 100 permit ip any any

access-list 100 deny udp host 10.151.0.46 eq tacacs any

i then applied that filter to the interface the 10.151.0.46 is connected to,

interface Serial2/1:0

description Link_To_Jinja

ip address 10.151.0.45 255.255.255.252

ip access-group 100 in

ip access-group 100 out

no ip directed-broadcast

tried to telnet (from 10.151.0.45 to 10.151.0.46 ) but still get the error message below...

RC_3640_01_UGS#10.151.0.46

Trying 10.151.0.46 ... Open

% Authentication failed.

[Connection to 10.151.0.46 closed by foreign host]

Maybe i am missing something out that you can highlight on..

Thank you for your help

MK

0 Helpful

deilert
Level 6
Level 6
In response to mtnuga

‎07-30-2003 05:18 AM

The ACL has the permit before the deny , you need to have the deny first followed by the permit

access-list 100 deny udp host any eq tacacs any

access-list 100 permit ip any any

If you are using ip tacacs source statement this is the IP that needs to be in the deny statement or you can use any any

Also if the router has more than one connection to it you need to apply the ACL on those interfaces also

0 Helpful

hbaerten
Level 4
Level 4
In response to mtnuga

‎07-30-2003 05:22 AM

Hi MK,

you have not copied the acl exactly. It should be

access-list 100 deny udp any any eq 49

access-list 100 permit ip any any

hth

Herbert

0 Helpful

mtnuga
Level 1
Level 1
In response to hbaerten

‎07-30-2003 11:09 PM

Hi guys,

I tried appling filters on the directly connected router but i still have the same problem, and yes i put the deny before the permit.

Any other way of going about this ? Please help

MK

0 Helpful

hbaerten
Level 4
Level 4
In response to mtnuga

‎07-31-2003 01:23 AM

Perhaps the easiest way is to do a password recovery?

http://www.cisco.com/warp/public/474/pswdrec_3600.shtml

Herbert

0 Helpful

deilert
Level 6
Level 6
In response to mtnuga

‎07-31-2003 04:10 AM

Can you paste in the config of the router with the AAA problem ? Is there only 1 directly connected router ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents