cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

83
Views
0
Helpful
2
Replies
Beginner

Locked out and want to avoid a reboot of 6500

We have a Cisco 6500 that we can login to with Priv level 0 but we cannot login to enable mode (Priv level 15).

 

User Access Verification

Username: xxxxx
Password:

6500Mothership>en
Password:
% Access denied

6500Mothership>


The Cisco ACS server that it communicates with is off of Gig 9/1 but that port is admin down. I believe it us using local authentication. I believe the aaa command has the system using TACACS and then the local enable password as a failback. I have used HashCat to crack the MD5 hash for the enable secret and the password it comes up with doesn’t work, so…. I believe that the local enable password has been changed since the last configuration that we have was saved.
I am providing the last configuration we have, but it’s months old and I think the enable secret password hash is based on an old password (but I could be wrong).
The running-config is saved daily to disk0: - but we cannot access it because we don’t have proper access to the system.
Here is some basic info on the system, but if you get chosen to work on this, I’ll provide you the latest running config that we have which is about 3 months old.


enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password yyyyyyyyyyyyyy
!
username xxxx privilege 7 password 0 yyyyy
username xxxx privilege 7 password 0 @yyyyy
username xxxx privilege 7 password 0 @Marnix Coosemans
username xxxx privilege 15 password 0 yyyyy
username xxxx privilege 15 password 0 yyyyy

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
!
aaa session-id common
!
line con 0
line vty 0 4
session-timeout 120
password xxxxxxxxxxxxxxxxx
length 0
transport input all
!
!

2 REPLIES 2
VIP Advisor

Re: Locked out and want to avoid a reboot of 6500

Hi there,

Do you have SNMP write access? You could issue some set commands to initiate a TFTP session to copy the running config from the device, allowing you to check the password hash again.

 

cheers,

Seb.

Highlighted
VIP Advisor

Re: Locked out and want to avoid a reboot of 6500

If you lost the Local username and password lost, only option you have enable ACS again to authenticated users.

 

you can try other option as suggested, but subject to SNMP Wr access enabled. if not password reset only option you have.

 

BB
*** Rate All Helpful Responses ***
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards