I need a couple of tricks if you have any. I have a radius server that authenticates logins for our routers. Over the weekend, I sent a new router to a branch. I can log into the router and get the ">" prompt, but when I try to do enable I get "% Error in Authentication."
I've tried to console in via remote control of computer logged in with the same thing. I shut off the radius server over the weekend, and I can log into the router with the local account, but the local account doesn't have a privilege level set, so I get the same problem.
Now what I wanted to try is to get the router to roll over to the local account WHILE the radius server is up. I removed the entries from my radius server for that router, but it still can "see" the radius server, so I can't log into the router with the local account.
Any tricks to getting this thing to roll over without bringing the radius service down?
If you have removed the configuration for the client router from the server I would think that even though the client can send an authentication request to the server that the server would reject it with an unknown client type response. I would have thought that response would allow the remote router to fall back to local authentication (and it has been my experience with TACACS that it does).
But if that is not working then I wonder if it is possible to set up a filter (access list or whatever) between the remote router and the server that would deny authentication requests from that remote router to that server? If the request is dropped then there is no response from the server and the remote router should fall back to local authentication.
Here's what I did to fix it: (man, I'm glad I got it to work.)
I removed the branches IP addresses from the radius server completely. Then I had the local person console into the router, and I took control of his machine. Fortunately, I didn't have restrictions on the console port, and I was able to get into it that way.
It was missing the enable password in the config, and after I put that in, the world was fine. :-)
Thanks for your suggestion! I really appreciate it!
Thanks for posting back and indicating that you had solved the problem, with what the problem was and how you fixed it. It makes the forum more useful when people can read about a problem, and can read what was done that successfully resolved the problem.
It is an easy think to do to neglect to configure an enable password. And with no enable password (and no privilege level configured on the vty) the only way into privilege mode is via the console. You found a creative way to solve your problem. Congratulations.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...