Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2492
Views
0
Helpful
3
Replies

Locked out at enable after AAA config

network_user
Level 1
Level 1

‎01-30-2017 09:04 AM - edited ‎03-11-2019 12:24 AM

Hello,

I configured aaa using below commands on my router and now I am locked out since I don't know the enable password that was configured on the router. When AAA was not configured I was able to get to the priv exec prompt by directly using my username and password that is configured for priv 15.  But right now its asking me for enable when its using tacacs and also when its not using tacacs (i tried by deleting this device from ACS). Is there any way I can have ACS directly log me into priv exec mode and not ask enable password? I know I missed the "aaa authentication exec" command but is there any way I can get into the router and fix it now??

aaa new-model
aaa authentication login serial local
aaa authentication login default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands

Thanks!

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-30-2017 09:15 AM

Looks like serial is still using local authentication. Any chance of console access?

One other way to to break connectivity between the device and ACS (firewall rule in the path maybe). This will force it to fallback to local and provide privilege 15 based on the local admin user.

0 Helpful

network_user
Level 1
Level 1
In response to Rahul Govindan

‎01-30-2017 09:40 AM

Hello Rahul,

Thanks for the reply. I did try removing this device from the ACS, so that it defaults to local login. It does fallback to local login but it still asks me for enable, which it did not when i did not have aaa configured.

And yes I did add that serial command for console to be local login, but its still using tacacs for authentication on console and asks enable password.

Thanks!

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to network_user

‎01-30-2017 10:44 AM

Yeah looks like you created a list called "serial" but may not have added it into "line console 0" as an authentication method causing it to check console login also via ACS.

What is your config on your Line console and vty? Also what was it before enabling aaa commands?

Also, if the config has not been saved, you can reload the device to bring it back to original state (provided that this is not production impacting).

0 Helpful
Customers Also Viewed These Support Documents