Hi, my colleague configured AAA on a remote router, without creating a local username password, the entry on the ACS server is not present and now i am locked !!, its asking for username password which is not present in the local database, since this branch was newly installed we didnt took any router backup so i am not having any idea as what will the hostname might be, becoz if i know so i will enter it on my ACS and it will work i know, so plz guys help me out with this, or if there is a workaround of it,
thanks in advance
Resetting the switch is your only solution. Next time, before enabling 'aaa new-model' make sure to have a local username and password.
Most people doesnt get it right the first time. So next time you are configuring aaa on any device, make sure you enable local authentication & set username & password.
Minimum aaa config to save u from getting locked while configuring aaa for tacacs:
aaa authentication login local
username abc password xyz
Anytime u r locked while configuring, u can use the above username & password to gain access.
Please refer this doc for more details if ur interested:
hope that clarifies.
pls rate all helpful posts.
Dear Frnd i m using 1841 router, i know the last option is to reset it in rommon mode but still it will be difficult, so kindly any other idea plz ? i just want the hostname is there anyway i can get it ??
I'm doubtful if your router has taken the entire AAA configs. Router gets locked as soon as "aaa new-model" is entered. Even if u get the hostname, you'll not be able to get in to the device because it would have not taken the configurations for authorisation & accounting. It would have not taken the AAA server IP, also would be missing the login auth tacacs under vty & console. Also, local authentication might be not configured in case of aaa server fails, & above all you dont have a local username & pwd.
So dnt see any other option.
If you just want the host name of that router,In that case you can find it out using CDP.
Plz do sh cdp nei detail on the neighbouring cisco device it will show enough info.
hope this helps
Dear Shri, i m using tunnel interface and unfortunately cdp is not enabled on the other side, can i resolve the hostname using traceroute ( on router ) or tracert ???
nop u can not resolve the host name using tracert.Are you sure the CDP is disabled? Because CDP is enabled by default on cisco devices.
In worst case u have to reload the router as previous post says.You can some how resolve the hostname but coould not get access until you get the username and password.
I question that the host name is essential to solving your problem. In my experience with ACS the ACS needs the IP address of the remote device but the name is not essential. You should be able to create an entry in ACS specifying the address used by the remote router and be able to authenticate (assuming that the configuration of the remote 1841 is correct).
I have many times changed the host name of a device that is authenticating with ACS without having to change the ACS configuration. I believe that if you create a correct entry in ACS that the remote 1841 should be able to authenticate.
hi rick, i m using ACS 3.3 windows version, and i have tried different combinations of hostname with correct ip address and key, but its not working, i think hostname should always be exactly same but i will try it with some other router, right now if some1 can tell me how to get the hostname of router ??
Is the failed attempts report in ACS showing the attempts to authenticate from this router? If it is showing the authentication attempts then it is showing what IP address the router is using and you should create a device entry in ACS for that IP address.
If the failed attempts is not showing the authentication attempts then you have a different issue and finding the host name is not likely to solve it.