Solved: lock-out on router(aaa new-model)

mactej6228 · ‎07-26-2012

So here i am again.. Need help. I can now login to my router which is authenticated through remote acs, my problem is when i issue the command "disable" in privilege level because when i try to get on the privilege mode it would ask me for password I try all the passwords but i'm rejected so i'm lock out, see attached file for you to understand what i mean.. Thanks in advance

and here's my router config:

!

version 12.4

!

service password-encryption

!

hostname R1

!

aaa new-model

!

aaa authentication login fCONSOLE group radius

aaa authentication enable default group radius

aaa authorization console

aaa authorization config-commands

aaa authorization exec fCONSOLE group radius

!

aaa session-id common

!

username mark privilege 15 password 7 110418171C

username anthony password 7 050A081B29434010

!

interface Loopback1

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.5.1 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.252

duplex auto

speed auto

!

router eigrp 100

network 1.1.1.1 0.0.0.0

network 10.10.10.0 0.0.0.3

network 192.168.5.0 0.0.0.7

no auto-summary

!

ip radius source-interface FastEthernet0/1

!

radius-server host 172.16.178.3 auth-port 1645 acct-port 1646 key 7 0519570C285F4D06

!

control-plane

!

line con 0

exec-timeout 0 0

authorization exec fCONSOLE

logging synchronous

login authentication fCONSOLE

line aux 0

line vty 0 4

transport input telnet

nkarthikeyan · ‎07-27-2012

Ohhh... Great to hear that your problem solved... Always google is the god father!!!

By

Karthik

View solution in original post

nkarthikeyan · ‎07-27-2012

Hi Mark,

Have the enable password created in locallay as well. Try out with these commands. Hope this should work with radius as well as local authentication if radius fails.

!

aaa authentication attempts login 5

aaa authentication fail-message ^failed login^

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

aaa accounting suppress null-username

aaa accounting exec default start-stop group radius

!

line con 0

session-timeout 10

exec-timeout 15 0

password ###############

transport preferred none

transport output none

line aux 0

session-timeout 10

password ###############

no exec

line vty 0 15

session-timeout 10

exec-timeout 15 0

privilege level 15

password ##################

transport preferred ssh

transport input ssh telnet

transport output none

!

Please do rate for the helpful posts.

By

Karthik

mactej6228 · ‎07-27-2012

Thanks for your reply Karthikeyan, actually i can successfully login to my radius server, what i'm confused of is when i issue the command "disable" and try to login the privilege mode again "enable", i only asked for password.

mactej6228 · ‎07-27-2012

Found the answer, thanks to google....

i just add $enab15$ user to my acs server...

nkarthikeyan · ‎07-27-2012

Ohhh... Great to hear that your problem solved... Always google is the god father!!!

By

Karthik