07-03-2005 03:05 PM - edited 03-02-2019 11:16 PM
Experienced a power loss while remotely uploading a new configuration to a WS-C2924-XL (running IOS 12.0(5)WC8). I am unable to authenticate since the device reloaded.
I know that part of the config was successfully uploaded because I am being prompted for the aaa authentication username/password (no username/password was applied before I attempted the upload). WAN connectivity (to the tacacs+ server is available, so I don't believe that part of the config made it to the switch. Relevant config is shown below:
aaa new-model
aaa authentication password-prompt Backup_Authentication_Password:
aaa authentication username-prompt Backup_Authentication_Username:
aaa authentication login default group tacacs+ local
aaa authorization exec default local group tacacs+
aaa authorization commands 0 default local group tacacs+
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
enable secret xxx
!
username xxx password xxx
=======================================
I do not have anybody on-site and the only connection available to me is via fa0/1 through the router. Trying to figure out how to gain access to the device in order to complete the config.
Any suggestions will be greatly appreciated.
John
07-03-2005 11:38 PM
Hi,
do I understand correctly that you were uploading a new startup-config file to the switch and the switch reloaded during the upload process due to power-failure?
It means there might be only a part of the new config running in the switch memory with vty commands missing, e.g.
In this case, I'm afraid the only solution is password recovery on the site.
Isn't there a chance the config is complete and there is a mistake in the TACACS+ configuration? Do you see anything i the TACACS server log?
According to
aaa authentication login default group tacacs+ local
if you disable communication between your switch and TACACS server (ACL on the router, e.g.), it should be possible to login using local user password ...
Regards,
Milan
07-05-2005 06:12 PM
Thanks for the reply, Milan.
I agree with you that only part of the config made it to the switch. Part that didn't make it included the ip address for the tacacs+ server so the switch cannot authenticate with anybody other than the backup username/password. Unfortunately I don't believe that part made it either as it will not allow me to login at all.
On-site personnel rebooted the switch today and I completed the config. I never had a chance to write memory, so a simple reboot solved the problem (sounds like a Windows fix). I was trying to find a way into the box over the weekend so as not to interrupt production when everybody came back to the office today.
Thanks again,
John
07-05-2005 06:13 PM
PS If I would have scheduled a reload before doing the config I never would have had this problem. It's always easy to cancel a reload once the maintenance is complete...
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide