Solved: Re:Cisco IOS - Admin login failed

shailesh.pawar · ‎07-07-2013

Hello,

I have configured Cisco IOS to authenticate via RADIUS server (Cisco ISE). By mistakely I have set all authentication via RADIUS only.

Now, I am able to login via RADIUS but unable to login through Cisco IOS local Admin credetials and because of this I am not able to access the privilleged commands.

Is there any way to revert this so that login through admin (sadm) would be possible and not by RADIUS ?

I don't have access to "configure", "enable" commands for the radius user.

Jatin Katyal · ‎07-08-2013

Was that working before? btw, what IOS code are you running?

What error you see on the IOS command line interface when ISE is DOWN and you try to login with local user account?

Did you set local authentication as a failover method? Do you have paper config of the IOS before you got locked out?

You can check the ISE live authentication logs whether user is being authenticated by the radius server. You need to use radius credentials and then go to ISE > operations > authentication > log messages.

Did you write the changes? If not, the last resort would be RELOAD.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-07-2013

Could you please provide the running configuration from the IOS?

-- Show run

If you have radius as a primary authentication method and local as a secondary (failover - In case radius goes down, you may access to IOS via local database) then only radius authentication will work. The local credentials can only be used when the radius server is unreachable or down. In presence of radius server, local credentials won't work.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

shailesh.pawar · ‎07-08-2013

Thanks Jatin,

show run command is not working. It is showing error: "% Unrecognized command"

I have tried this also, putting down RADIUS server (Cisco ISE server), But not able to login via admin(sadm).

Is there any configuration file which contains entry of RADIUS user and because of that authentication is via RADIUS not by local ?

Jatin Katyal · ‎07-08-2013

Was that working before? btw, what IOS code are you running?

What error you see on the IOS command line interface when ISE is DOWN and you try to login with local user account?

Did you set local authentication as a failover method? Do you have paper config of the IOS before you got locked out?

You can check the ISE live authentication logs whether user is being authenticated by the radius server. You need to use radius credentials and then go to ISE > operations > authentication > log messages.

Did you write the changes? If not, the last resort would be RELOAD.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

shailesh.pawar · ‎07-16-2013

Thanks Jatin,

Problem is resolved, Now I am able to login.

Thanks fro your help.

Jatin Katyal · ‎07-16-2013

Yw, was there any miss or typo in the config from your side in the aaa authentication commands?

Sent from Cisco Technical Support Android App

~Jatin

shailesh.pawar · ‎07-16-2013

Yes, there is a typo in aaa authentication commands, By mistakely I have typed wrong spelling.

Do you have any logs related to client provisioning and posture assesment in cisco ISE.?

Jatin Katyal · ‎07-16-2013

I see, thats the only issue I could think of.

I would appreciate if you initiate a new discussion for ISE and mark this thread as Resolved.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

shailesh.pawar · ‎07-16-2013

I have already opened another issue for the same:

https://supportforums.cisco.com/message/3990002