Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1235
Views
0
Helpful
2
Replies

Locked out and want to avoid a reboot of 6500

davidhvoss
Level 1
Level 1

‎09-18-2019 05:47 AM

We have a Cisco 6500 that we can login to with Priv level 0 but we cannot login to enable mode (Priv level 15).

 

User Access Verification

Username: xxxxx
Password:

6500Mothership>en
Password:
% Access denied

6500Mothership>


The Cisco ACS server that it communicates with is off of Gig 9/1 but that port is admin down. I believe it us using local authentication. I believe the aaa command has the system using TACACS and then the local enable password as a failback. I have used HashCat to crack the MD5 hash for the enable secret and the password it comes up with doesn’t work, so…. I believe that the local enable password has been changed since the last configuration that we have was saved.
I am providing the last configuration we have, but it’s months old and I think the enable secret password hash is based on an old password (but I could be wrong).
The running-config is saved daily to disk0: - but we cannot access it because we don’t have proper access to the system.
Here is some basic info on the system, but if you get chosen to work on this, I’ll provide you the latest running config that we have which is about 3 months old.


enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password yyyyyyyyyyyyyy
!
username xxxx privilege 7 password 0 yyyyy
username xxxx privilege 7 password 0 @yyyyy
username xxxx privilege 7 password 0 @Marnix Coosemans
username xxxx privilege 15 password 0 yyyyy
username xxxx privilege 15 password 0 yyyyy

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
!
aaa session-id common
!
line con 0
line vty 0 4
session-timeout 120
password xxxxxxxxxxxxxxxxx
length 0
transport input all
!
!

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎09-18-2019 06:00 AM

Hi there,

Do you have SNMP write access? You could issue some set commands to initiate a TFTP session to copy the running config from the device, allowing you to check the password hash again.

 

cheers,

Seb.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-18-2019 06:47 AM

If you lost the Local username and password lost, only option you have enable ACS again to authenticated users.

 

you can try other option as suggested, but subject to SNMP Wr access enabled. if not password reset only option you have.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents