Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2910
Views
9
Helpful
2
Replies

Locked out of router with TACACS

Go to solution
Evan Roggenkamp
Level 1
Level 1

‎12-01-2015 02:07 PM - edited ‎03-10-2019 11:17 PM

Hello 

I made a rookie mistake today and configured one of our routers to use the following configuration:

aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated

We are using RADIUS for authentication - and TACACS for authorization, so needless to say I am locked out of the router. I am wondering if the only way to get past this is to password reset the router, or if there is a way for me to reconfigure my RADIUS/TACACS server to allow access for this device with this configuration. 

Thanks 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Henderson
Level 4
Level 4

‎12-01-2015 02:19 PM

Since you have "enable" as the fallback method, simply maket the TACACS+ server unavailable to that router (null route somewhere upstream, ACL, etc) and then the router should let you log in using the enable password instead of username/password credentials.

Note: I'm making the assumption that the default authentication applies to the console or VTY lines, but I can't tell if that will be the case since the full configuration was not posted.

View solution in original post

2 Replies 2

Go to solution
Javier Henderson
Level 4
Level 4

‎12-01-2015 02:19 PM

Since you have "enable" as the fallback method, simply maket the TACACS+ server unavailable to that router (null route somewhere upstream, ACL, etc) and then the router should let you log in using the enable password instead of username/password credentials.

Note: I'm making the assumption that the default authentication applies to the console or VTY lines, but I can't tell if that will be the case since the full configuration was not posted.

Go to solution
Evan Roggenkamp
Level 1
Level 1
In response to Javier Henderson

‎12-01-2015 02:23 PM

Hi Javier thanks for the reply

There is no additional configuration on the console or VTY lines to the best of my knowledge. 

However, there is only one priviledge 15 user on the system, with no enable password configured. 

0 Helpful
Customers Also Viewed These Support Documents