Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4381
Views
15
Helpful
1
Comments

CRS password recovery and AAA lock out recovery

Bryan Garland
Cisco Employee
Cisco Employee

on ‎07-26-2011 08:39 AM

Introduction

This document will give you some ways to recover your CRS running IOS-XR if you are locked out due to a forgotten password or AAA configuration change.

Core Issue

First is if you have forgotten your username/password you can do the following steps which is documented fairly well already:

Password Recovery


The other issue is if you have mistakenly locked yourself out after doing some AAA commands.  Usually after configuring authorization without a   fallback method.  To see how to make sure you have fallback methods and configure them refer to the AAA configuration guides.

AAA configuration guide

Resolution

There are a couple of ways to do this. 

If you have access to the aux port then you can do the following:

Gain access on the AUX port which should drop you into the Korn Shell (ksh).  If challenged with a username/password this would be a local username/password.  Not tacacs/radius. 

     Note:  This can by bypassed with the following:

Bypassing Ksh Authentication

rommon1> AUX_AUTHEN_LEVEL=0


rommon2> sync


rommon2> boot tftp:/ ...

Once in the ksh you can try to do the following command to do a configuration rollback for the last change:

config_rollback -n 0x1

     Note: You can change the last number if you needed to rollback more than 1 change.

If you don't have access to the AUX port for some reason but do have a configuration backed up or are willing to reconfigure the router you can do the following from the console.  This will tell the router to boot up with a  blank configuration. 

Reload the router and keep both RPs down in ROMMON by sending a break signal during boot process. 

Then boot the active RP with the following type of command:

boot <image> -a bogus-config-file-path

For example, on my CRS running 4.0.3 the command would look like this:

boot bootflash:/disk0/hfr-os-mbi-4.0.3/mbihfr-rp.vm -a blah

The router will then boot loading the right version but will come up with a blank config. 

You can then reconfigure or cut/paste the configuration. 

In case it's needed you can do the same for the Admin configuration with the following switch:

boot <image> -o bogus-config-file-path

Related Information

Password Recovery

AAA configuration guide

ASR9k Password Recovery


Comments
eteksoy
Cisco Employee
Cisco Employee
‎07-26-2011 10:33 AM

very nice! thanks for doing this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Customers Also Viewed These Support Documents