Lockout Scenarios and workarounds
In some circumstances, when you turn on command authorization or CLI authentication, you can be locked out of the security appliance CLI. You can usually recover access by restarting the security appliance. However, if you already saved your configuration, you might be locked out.
Local CLI authentication | No users in the local database | If you have no users in the local database, you cannot log in, and you cannot add any users. | Log in and reset the passwords and aaa commands. | Session into the security appliance from the switch. From the system execution space, you can change to the context and add a user. |
TACACS+ command authorization TACACS+ CLI authentication RADIUS CLI authentication | Server down or unreachable and you do not have the fallback method configured | If the server is unreachable, then you cannot log in or enter any commands. | 1. 2. | 1. 2. |
TACACS+ command authorization | You are logged in as a user without enough privileges or as a user that does not exist | You enable command authorization, but then find that the user cannot enter any more commands. | Fix the TACACS+ server user account. If you do not have access to the TACACS+ server and you need to configure the security appliance immediately, then log into the maintenance partition and reset the passwords and aaa commands. | Session into the security appliance from the switch. From the system execution space, you can change to the context and complete the configuration changes. You can also disable command authorization until you fix the TACACS+ configuration. |
Local command authorization | You are logged in as a user without enough privileges | You enable command authorization, but then find that the user cannot enter any more commands. | Log in and reset the passwords and aaa commands. | Session into the security appliance from the switch. From the system execution space, you can change to the context and change the user level. |
Log in and reset the passwords and AAA commands.
Viewing the Logged-In User
To view the current logged-in user, enter the following command:
hostname# show curpriv
See the following sample show curpriv command output. A description of each field follows.
hostname# show curpriv
Username : admin
Current privilege level : 15
Current Mode/s : P_PRIV
Username | Username. If you are logged in as the default user, the name is enable_1 (user EXEC) or enable_15 (privileged EXEC). |
Current privilege level | Level from 0 to 15. Unless you configure local command authorization and assign commands to intermediate privilege levels, levels 0 and 15 are the only levels that are used. |
Current Mode/s | Shows the access modes: • • • |