Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Misconfigured AAA, NOW cant login

Hi

i have got myself locked out of my router. All devices on the network have to access the TACACS server for authentication and authorisation. However i think i misconfigured the router and now i cant login... as i get the login prompt but the athentication failed. Is there any way i can be able to login again ? I have tried using the console but still the same problem.

Thanks

KM

7 REPLIES
Silver

Re: Misconfigured AAA, NOW cant login

Can you paste in the the latest config

you have a few options

1. power cycle the box if you have not done a wr mem

2. use SNMP to remove TACACS config

3. go into the directly connected router(s) and put on an ACL that blocks port 49

access-list 100 deny udp any any eq 49

access-list 100 permit ip any any

apply it on the directly connected interface

after this the when you telnet to the router that is hosed you should be prompted for the PW of last resort .

Community Member

Re: Misconfigured AAA, NOW cant login

Hi

I have tried what you advised. i logged on to the directly connected router, created an Access list blocking UDP port 49 through from source 10.151.0.46.. which is the router i have problems logging in.

access-list 100 permit ip any any

access-list 100 deny udp host 10.151.0.46 eq tacacs any

i then applied that filter to the interface the 10.151.0.46 is connected to,

interface Serial2/1:0

description Link_To_Jinja

ip address 10.151.0.45 255.255.255.252

ip access-group 100 in

ip access-group 100 out

no ip directed-broadcast

tried to telnet (from 10.151.0.45 to 10.151.0.46 ) but still get the error message below...

RC_3640_01_UGS#10.151.0.46

Trying 10.151.0.46 ... Open

% Authentication failed.

[Connection to 10.151.0.46 closed by foreign host]

Maybe i am missing something out that you can highlight on..

Thank you for your help

MK

Silver

Re: Misconfigured AAA, NOW cant login

The ACL has the permit before the deny , you need to have the deny first followed by the permit

access-list 100 deny udp host any eq tacacs any

access-list 100 permit ip any any

If you are using ip tacacs source statement this is the IP that needs to be in the deny statement or you can use any any

Also if the router has more than one connection to it you need to apply the ACL on those interfaces also

Bronze

Re: Misconfigured AAA, NOW cant login

Hi MK,

you have not copied the acl exactly. It should be

access-list 100 deny udp any any eq 49

access-list 100 permit ip any any

hth

Herbert

Community Member

Re: Misconfigured AAA, NOW cant login

Hi guys,

I tried appling filters on the directly connected router but i still have the same problem, and yes i put the deny before the permit.

Any other way of going about this ? Please help

MK

Bronze

Re: Misconfigured AAA, NOW cant login

Perhaps the easiest way is to do a password recovery?

http://www.cisco.com/warp/public/474/pswdrec_3600.shtml

Herbert

Silver

Re: Misconfigured AAA, NOW cant login

Can you paste in the config of the router with the AAA problem ? Is there only 1 directly connected router ?

125
Views
0
Helpful
7
Replies
CreatePlease to create content