Solved: Password issue on Cisco 2955

Andy White · ‎04-06-2012

Hi,

I'm just made a silly mistake.

I'm been telnetting onto a 2955 and then upgraded the IOS and enabled ssh version 2 and then issues a "write", when I came back the exec-timeout had been issued and I was logged out of the router and now it is asking for a username and password and not just a password liek it did before enabling ssh. I havent yet put a username and password on yet, just the telnet.

What would the username be if I havent set one?

I guess I should set a username and secret first before using ssh?

Thanks

John Blakley · ‎04-06-2012

1. The console should still be able to get in because once you enable aaa, the telnet authentication switches to use local authentication and not the configured password on the line. This doesn't affect the console port though.

2. Yes. You can enable ssh, generate your keys, etc without having aaa configured. I personally put everything in notepad and just paste it into the router once I know what I want. You can do something like:

ip domain-name cisco

hostname cisco

crypto key generate rsa mod 1024

username cisco sec cisco

enable secr cisco

aaa new-model

radius-server host 192.168.1.50 key cisco

aaa authentication login default group radius local

Then paste all of that in....*Important* I don't exit out of the router at this point, but I open another terminal window and telnet into the router to make sure that the radius server authentication is working before I save changes.

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎04-06-2012

You said that you've been telnetting into the device. Did you change your transport on the vty line to ssh? Telnet is still enabled by default even if you enabled ssh and shouldn't be locking you out. There's not a default username/password that you can use. You should have set one unfortunately. Can you console into the router?

Did you enable aaa authentication? That'll lock you out if you don't finish the configuration....

HTH, John *** Please rate all useful posts ***

Andy White · ‎04-06-2012

The config before I got locked out:

line con 0

line vty 0 4

password 7 15115A1F077A

login

line vty 5 15

no login

I had to enable aaa new-model for ssh though

John Blakley · ‎04-06-2012

Yeah...you'll need to get consoled in in order to get back into it...

HTH, John *** Please rate all useful posts ***

Andy White · ‎04-06-2012

What was my "school boy" mistake?

John Blakley · ‎04-06-2012

Not finishing the aaa config

Anytime I do a aaa config, I always set a username/password and enable password before enabling aaa. I've locked myself out of a few routers.

You can also do this. The next time you start something that you think might lock you out of getting into it, you can set the router to reload automatically before you do the change:

reload in

If you lock yourself out, the router will reload for you in the amount of minutes that you set and since you didn't write the changes, it'll come up with the old config.

John

Please rate all useful posts...

HTH, John *** Please rate all useful posts ***

Andy White · ‎04-06-2012

The worst thing is I always use the reload and when I need it I dont use it.

1.) I guess as the console has no password so I should be able to just use the enable password?

2.) So I can add ssh without aaa new-model then add a local username and password later when I'm ready as I have to get radius working? I have a few switches to do, so I was upgrading them, configure ssh, ntp, logging to syslog, then I was going to add local usernames and then radius (with CLI views). The local usernames are only for when radius isn't working.

It would be great to read your oppinion.

John Blakley · ‎04-06-2012

1. The console should still be able to get in because once you enable aaa, the telnet authentication switches to use local authentication and not the configured password on the line. This doesn't affect the console port though.

2. Yes. You can enable ssh, generate your keys, etc without having aaa configured. I personally put everything in notepad and just paste it into the router once I know what I want. You can do something like:

ip domain-name cisco

hostname cisco

crypto key generate rsa mod 1024

username cisco sec cisco

enable secr cisco

aaa new-model

radius-server host 192.168.1.50 key cisco

aaa authentication login default group radius local

Then paste all of that in....*Important* I don't exit out of the router at this point, but I open another terminal window and telnet into the router to make sure that the radius server authentication is working before I save changes.

John

HTH, John *** Please rate all useful posts ***

Andy White · ‎04-06-2012

Thanks I will follow this in future.

Out of interest are you using the "radius-server " method as I get a warning when I add radius-server host? Says Cisco are moging away from this soon or something.

John Blakley · ‎04-06-2012

What error are you getting when you use radius-server host?

HTH, John *** Please rate all useful posts ***

Andy White · ‎04-06-2012

I'm not near a switch, but I'm using the latest IOS and it warned my that I should start using radius-server name and not host as Cisco will be moving away from this on future releases. I will get the exact warning for you.

glen.grant · ‎04-06-2012

If you just use like the follwing statements you don't even need a username and password it will just call your current line and enable secret passwords .

Andy White · ‎04-06-2012

Thanks,

I'm using:

aaa authentication login default group radius local

aaa authentication enable default line

I use windows 2008 radius

Which works ok for me, if radius is down then they can use the local database, where I have a priv 15 user and a basic user with a CLI View called "helpdesk" with basic commands.