07-30-2003 03:58 AM - edited 03-02-2019 09:13 AM
Hi
i have got myself locked out of my router. All devices on the network have to access the TACACS server for authentication and authorisation. However i think i misconfigured the router and now i cant login... as i get the login prompt but the athentication failed. Is there any way i can be able to login again ? I have tried using the console but still the same problem.
Thanks
KM
07-30-2003 04:08 AM
Can you paste in the the latest config
you have a few options
1. power cycle the box if you have not done a wr mem
2. use SNMP to remove TACACS config
3. go into the directly connected router(s) and put on an ACL that blocks port 49
access-list 100 deny udp any any eq 49
access-list 100 permit ip any any
apply it on the directly connected interface
after this the when you telnet to the router that is hosed you should be prompted for the PW of last resort .
07-30-2003 05:11 AM
Hi
I have tried what you advised. i logged on to the directly connected router, created an Access list blocking UDP port 49 through from source 10.151.0.46.. which is the router i have problems logging in.
access-list 100 permit ip any any
access-list 100 deny udp host 10.151.0.46 eq tacacs any
i then applied that filter to the interface the 10.151.0.46 is connected to,
interface Serial2/1:0
description Link_To_Jinja
ip address 10.151.0.45 255.255.255.252
ip access-group 100 in
ip access-group 100 out
no ip directed-broadcast
tried to telnet (from 10.151.0.45 to 10.151.0.46 ) but still get the error message below...
RC_3640_01_UGS#10.151.0.46
Trying 10.151.0.46 ... Open
% Authentication failed.
[Connection to 10.151.0.46 closed by foreign host]
Maybe i am missing something out that you can highlight on..
Thank you for your help
MK
07-30-2003 05:18 AM
The ACL has the permit before the deny , you need to have the deny first followed by the permit
access-list 100 deny udp host any eq tacacs any
access-list 100 permit ip any any
If you are using ip tacacs source statement this is the IP that needs to be in the deny statement or you can use any any
Also if the router has more than one connection to it you need to apply the ACL on those interfaces also
07-30-2003 05:22 AM
Hi MK,
you have not copied the acl exactly. It should be
access-list 100 deny udp any any eq 49
access-list 100 permit ip any any
hth
Herbert
07-30-2003 11:09 PM
Hi guys,
I tried appling filters on the directly connected router but i still have the same problem, and yes i put the deny before the permit.
Any other way of going about this ? Please help
MK
07-31-2003 01:23 AM
Perhaps the easiest way is to do a password recovery?
http://www.cisco.com/warp/public/474/pswdrec_3600.shtml
Herbert
07-31-2003 04:10 AM
Can you paste in the config of the router with the AAA problem ? Is there only 1 directly connected router ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide