10-07-2010 04:03 PM - edited 03-11-2019 11:51 AM
Cisco ASA 5520
When i attempt to telnet..i get usrname and password..but not authentication since my ACS server is down
i can console in..but cant enter enable mode...
i get the message AAA server is unreachable..
is there anything i can do besides a pw recovery?
Solved! Go to Solution.
10-09-2010 05:20 AM
Hello,
If you still have lines like 'aaa authentication telnet console TACACS+' in the config then the local username/password won't work. You would need to have the 'LOCAL' keyword at the end of those lines. If that is the case, you'll need to do a password recovery to remove the 'aaa authentication' lines.
Hope that helps.
-Mike
10-07-2010 05:15 PM
Hi,
Here's the link to perform password recovery:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/trouble.html#wp1049302
Hope this helps!!
Thanks and Regards,
Prapanch
10-08-2010 06:08 AM
Hello,
Do you have LOCAL fallback setup for authentication? If so, you can use the credentials configured in the local user database to login. Otherwise, you'll need to either get your AAA server up and running again or perform a password recovery.
When you get it working again, you should consider configuring a local user account to avoid locking yourself out again in the future. You can do that with these commands:
username
aaa authentication telnet console
Hope that helps.
-Mike
10-08-2010 10:58 AM
thats whats weird
i do have a local password and usernam configured on it
i was actually removing tacacs on it for a new config
when i removed the aaa statement and the aaa tacacs server host and key statemt
i was locked out....
what is left are what i believe the following commands
aaa authentication telnet console TACACS+
aaa authentication enable console TACACS+
aaa authentication ssh console TACACS+
aaa authentication http console TACACS+
when i enter enable
it looks for tacacs
10-09-2010 02:58 AM
If you have removed all the "aaa authentication" lines , if you telnet on the equipment the password required is the one set with "password" command if you have one.
HTH
Dan
10-09-2010 05:20 AM
Hello,
If you still have lines like 'aaa authentication telnet console TACACS+' in the config then the local username/password won't work. You would need to have the 'LOCAL' keyword at the end of those lines. If that is the case, you'll need to do a password recovery to remove the 'aaa authentication' lines.
Hope that helps.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide