Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
5
Replies

aaa new-model problem on 3750g stack switch

Go to solution
ohareka70
Level 3
Level 3

‎10-19-2010 10:45 AM - edited ‎03-06-2019 01:36 PM

Hello,

I have a stacked switch 3750g on our DataCentre with 5 x 2960 switches hanging off it. All 5 switches have their own vlan.  I was trying to set it up on tacacs using aaa new-model.  I applied the aaa new-model config and the other aaa accounting lines but know i am locked out of the stack.  I cant log back in and need to get the aaa new-model config back off again.

It looks as if i will have to try and break into one of the switches and take the config off but i dont want to affect the other 4 switches on the stack.  One of the switches is only used for management but the other 4 have servers hanging off it so i cant touch these.

Is it possible to work on one switch in the stack without affecting the other switches.

Kevin

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
tprendergast
Level 3
Level 3

‎10-19-2010 11:53 AM

When you use the stacking technology, all of the switches appear as a chassis switch would (single unit). I am not aware of a scenario where you can isolate one switch and modify your configuration without impacting the other devices.

Have you tried console, telnet, and ssh methods? Do you have a copy of the configuration you added?

If you configured the AAA to use tacacs and then local, you could disconnect the tacacs/radius server and hope it falls back to using local authentication when you login with local credentials. Otherwise you are going to have difficulty if you have not properly configured AAA.

View solution in original post

0 Helpful

Go to solution
scottogden_2
Level 1
Level 1
In response to tprendergast

‎10-19-2010 11:58 AM

If you know the snmp read-write community string then why not use a tool like PT360. You can grab the config from the stack, change it and then upload the new config all through snmp.

Works a treat when you lock yourself out of a switch. Talking from experience

View solution in original post

0 Helpful
5 Replies 5

Go to solution
tprendergast
Level 3
Level 3

‎10-19-2010 11:53 AM

When you use the stacking technology, all of the switches appear as a chassis switch would (single unit). I am not aware of a scenario where you can isolate one switch and modify your configuration without impacting the other devices.

Have you tried console, telnet, and ssh methods? Do you have a copy of the configuration you added?

If you configured the AAA to use tacacs and then local, you could disconnect the tacacs/radius server and hope it falls back to using local authentication when you login with local credentials. Otherwise you are going to have difficulty if you have not properly configured AAA.

0 Helpful

Go to solution
scottogden_2
Level 1
Level 1
In response to tprendergast

‎10-19-2010 11:58 AM

If you know the snmp read-write community string then why not use a tool like PT360. You can grab the config from the stack, change it and then upload the new config all through snmp.

Works a treat when you lock yourself out of a switch. Talking from experience

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to scottogden_2

‎10-19-2010 03:15 PM

I have downloaded PacketTrap_PT360 so i will try this tommorrow and let you know how it goes.

regards

Kevin

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to scottogden_2

‎10-22-2010 03:49 AM

I downloaded PT360, took a few goes to get it setup right through the proxy server and then was able to go to the cisco Config option and download the running config, make a change and upload it back again.  Brilliant program and worked 100% with no downtime to the stack and the servers on it.  Thanks Kevin

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to tprendergast

‎10-19-2010 03:14 PM

You are right in that all the switches appear as a single unit.  An engineer in work told me the same thing, so this confirms it.  I have a working sonfig and all the community strings.  But when i Console and telnet it prompts me with a password to login.  Its not accepting the Tacacs login so i removed tacacs from the ACS server.  Its not accepting the local username (called emergency) its password either.  i think its because i put aaa new model on it but it already has - aaa group server tacacs+ ACS - that on it.  I have attached the important bits of the config.

ssh prompts me for a login and password but its not accepting the local username emergency details.  I dont know the other two passwords for oharek and csmuser.

I have downloaded PacketTrap_PT360 so i might try this tommorrow and let you know how it goes.

regards

Kevin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card