cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
1
Helpful
4
Replies

Need to get passed enable mode without resetting switch

jasonelmore
Level 1
Level 1

I have a 2x stack of Cisco 9200's in a production environment.  While i was setting them up and installing them, I used a hardcoded username with privilege 15 and a secret to SSH into the switch and go directly into config mode.  However, I must have typed a wrong setting somewhere and now I can't get passed enable mode after setting up Cisco Duo MFA via AAA Radius server.   I did not back up my config either, so there is no way to know where I went wrong.    I can ssh into the switch using a radius server rwith Cisco Duo, however instead of taking me directly to Config mode, it logs me into EXEC mode.  I have tried every enable password I would have set, including iterations that include typo's.   We have our radius server connected to our domain controllers active directory, so i'm able to login with my administrator account, but only to EXEC mode.   I do remember hard coding an enable password, but using the privilege 15 login before i configured AAA bypassed the need to type an enable.  As soon as i enabled AAA, i ran into trouble.  Moreover, I put login local on the console line, so not even hooking directly into the switch with a console cable has been able to save me.  Console still prompts for an enable password.  I have also tried unhooking the uplink to the network to bypass AAA, but i still get the enable prompt.

The two lines I used under aaa new-model are:

aaa authentication login default group radius local
aaa authorization exec default group radius local

 Is there anyway to see the config and fix my mistake without resetting the master switch? Ideally i'd just like to modify line con 0 line and remove login local, then i can just remove the enable password completely.  I do not need to recover the enable password, only remove it or find a way around it.  I have read some solutions that deal with going into ROMON mode, ignoring startup config, loading startup-config in rom mode, and then copying that to running-config.   

I have 2 48 port Cisco 9200's (stackwise) in an automotive production environment that cannot have downtime except on the weekends.  I'm going to fix it this Sunday, and I'd rather not have to wipe the master switch as there are 96 ports with around 5 VLANS being used.  It's going to be a nightmare to track all of that down and get everything in the correct VLAN.  This was a migration from old 3650's to 9200's and i used the 3650's existing config to partially configure the 9200's.  I got lazy and did not test the AAA before I mounted the switches into the rack, which are mounted 50ft in the air and require a boom lift to access.  I know, noob mistake! 

Any help would be appreciated.  

1 Accepted Solution

Accepted Solutions

jasonelmore
Level 1
Level 1

Ended up doing a ROM recovery by bypassing the startup-config and then copying startup to running.  Thanks for taking a shot at helping me out.  

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

since you have radius and fall back to local

On the Radius Server - related to this device - change the key to XXXXX (make sure you note down the original one)

in this case the switch can not reach radius server due to key issue, in this case you can use local account and fix the issue.

make sure radius side setup priv level to 15 so the user can get to # (rather using enable).

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ruben Cocheno
Spotlight
Spotlight

@jasonelmore 

On your radius configure a Cisco AV-Pair and send Privi 15

 

  • Service-Type = Shell-User

  • cisco-avpair =shell:priv-lvl=15

 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

  • So i tried this idea first as it was the most straightforward, and It did not work.

    There is no service-type = Shell-User on my radius server.  The choices I have are:
  • Administrative
  • Authorize Only
  • Callback Administrative
  • Callback Framed
  • Callback NAS Prompt
  • Login (Which is what ours was set to)
  • NAS Prompt
  • Outbound

I tried Administrative, Callback Login, Authorize Only, in addition to Login.  We already had that Cisco-AV-Pair programmed into the radius server, however it seems the switch is ignoring it?!  I'm still only getting to EXEC mode.  I will try changing the key now that I have ruled out this solution for my particular case, unless you have additional info!

 

 

jasonelmore
Level 1
Level 1

Ended up doing a ROM recovery by bypassing the startup-config and then copying startup to running.  Thanks for taking a shot at helping me out.