Re: Password recovery strange occurance

racanelv · ‎02-10-2006

I recently took on a client who did not have any password information for his router and changes needed to be made. It's a Cisco 1720 on a T1 Frame Relay connection by the way using IOS ver 12.2

I subsequently went through the password recovery process reset the router changed the password and made the necessary changes that I needed to and setup general security on the router. I then took note of all the passwords and saved a config file to a tftp server. I reset the router and everything works fine but the router won't let me into enable mode.

I can use the enable secret password to access the device but it does not allow me to enter config mode from either the console, aux or telnet. I checked the information I listed in the config file and I'm using the correct passwords but they don't work.

This isn't a problem now but it will be the next time I have to go in and make changes to this router, has anyone seen this before or have an explaination?

Richard Burts · ‎02-10-2006

Vincent

I want to be sure that I am correctly understanding what you describe. I believe you say that you get the same behavior whether you access the console, aux, or telnet. I believe you indicate that you can log into the router into user mode. In one paragraph you say that it will not let you into enable mode but the next paragraph says that you can use the enable secret password. So am I correct that you do get into enable mode (you can do extended ping for example) but can not get into config mode?

One possibility is that the router configures aaa command authorization and that the userID is not authorized for config mode. Could you post the router config (at least the aaa part of the config)? Also could you tell us exactly what happens (and any error message) when you attempt to get into config mode?

HTH

Rick

HTH

Rick

racanelv · ‎02-10-2006

Sorry I'll try to be more clear. Console, Telnet and Aux all operate the same. I can only access user mode. When I stated that I used the enable secret password I wasn't being clear. I set the router to require password authentication on all external interfaces and I typically use the enable password just to get into user mode. However, this same password does not allow me into config mode.

I will post a router config later currently the config is on another laptop, I appreciate the response.

Richard Burts · ‎02-11-2006

Vincent

I do not want to be overly picky but I need some clarification. There are three stages you go through: user mode, then exec mode (or privilege mode to be precise), and then config mode. It is now clear that you do get into user mode and not config mode. But I am still unclear whether you are getting into exec mode. If you are not getting into exec mode it indicates some issue with how authentication for exec mode is configured. If you are getting into exec mode but not config mode it sounds to me like an authorization issue rather than an authentication issue.

Posting the router config will definitely be helpful.

HTH

Rick

HTH

Rick

lgijssel · ‎02-13-2006

When assuming that you did not make a type while entering the enable password, I can see only one possible cause:

The router was originally configured with an enable SECRET. After you did the password recovery, you entered a new enable PASSWORD.

Now the rule with devices having both of these configured is that the secret prevails over the password. You should have either overwritten the enable secret or used the no ena sec after entering the new password.

Regards,

Leo

racanelv · ‎02-13-2006

Sorry for being so quick you are correct in that I am not able to access exec mode. You type enable then the password and nothing happens.

There is a good possiblity that there was a previous enable secret password in place because I didn't use the no ena sec command when I was copying the file back over to the startup config.