Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access to switch locked out

Hi

I recently installed a cat2924XL. I was configuring tacacs when I got distracted and the session timed out - now I cannot get in to the switch! The only part I had configured was aaa-new model and aaa authentication login secure line. Unfortunately I did not have login authentication secure configured on either the cty or vty lines. Is there any way around this other than breaking into the device - understandably I do not want to take the device down!!

Thank You

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: access to switch locked out

If you wrote your config, a password recovery is required. If not, you'll have to reboot.

It is always a good idea to setup a local account as a back door method as well. This is useful if AAA negotiation encounters an 'Error' then it will seek the next method. Some examples of this are if you have the improper key in the device matched to the AAA server, or network connectivity is down to the AAA server.

Personally, I like to turn off aaa on the console port for this particular reason. Granted, this may circumvent a security policy, but if someone has physical access to the console, they can break in anyhow.

Here is how :

aaa authentication login NO_AUTHEN none

line con 0

login authentication NO_AUTHEN

if using EXEC or Command authorization, they should be disabled on the console port as well.

1 REPLY
New Member

Re: access to switch locked out

If you wrote your config, a password recovery is required. If not, you'll have to reboot.

It is always a good idea to setup a local account as a back door method as well. This is useful if AAA negotiation encounters an 'Error' then it will seek the next method. Some examples of this are if you have the improper key in the device matched to the AAA server, or network connectivity is down to the AAA server.

Personally, I like to turn off aaa on the console port for this particular reason. Granted, this may circumvent a security policy, but if someone has physical access to the console, they can break in anyhow.

Here is how :

aaa authentication login NO_AUTHEN none

line con 0

login authentication NO_AUTHEN

if using EXEC or Command authorization, they should be disabled on the console port as well.

328
Views
0
Helpful
1
Replies
CreatePlease to create content