Lockout Scenarios and workarounds
In some circumstances, when you turn on command authorization or CLI authentication, you can be locked out of the security appliance CLI. You can usually recover access by restarting the security appliance. However, if you already saved your configuration, you might be locked out.
Feature
Lockout Condition
Description
Workaround: Single Mode
Workaround: Multiple Mode
Local CLI authentication |
No users in the local database |
If you have no users in the local database, you cannot log in, and you cannot add any users. |
Log in and reset the passwords and aaa commands. |
Session into the security appliance from the switch. From the system execution space, you can change to the context and add a user. |
TACACS+ command authorization
TACACS+ CLI authentication
RADIUS CLI authentication |
Server down or unreachable and you do not have the fallback method configured |
If the server is unreachable, then you cannot log in or enter any commands. |
1. Log in and reset the passwords and AAA commands.
2. Configure the local database as a fallback method so you do not get locked out when the server is down. |
1. If the server is unreachable because the network configuration is incorrect on the security appliance, session into the security appliance from the switch. From the system execution space, you can change to the context and reconfigure your network settings.
2. Configure the local database as a fallback method so you do not get locked out when the server is down. |
TACACS+ command authorization |
You are logged in as a user without enough privileges or as a user that does not exist |
You enable command authorization, but then find that the user cannot enter any more commands. |
Fix the TACACS+ server user account.
If you do not have access to the TACACS+ server and you need to configure the security appliance immediately, then log into the maintenance partition and reset the passwords and aaa commands. |
Session into the security appliance from the switch. From the system execution space, you can change to the context and complete the configuration changes. You can also disable command authorization until you fix the TACACS+ configuration. |
Local command authorization |
You are logged in as a user without enough privileges |
You enable command authorization, but then find that the user cannot enter any more commands. |
Log in and reset the passwords and aaa commands. |
Session into the security appliance from the switch. From the system execution space, you can change to the context and change the user level. |
Viewing the Logged-In User
To view the current logged-in user, enter the following command:
See the following sample show curpriv command output. A description of each field follows.
Current privilege level : 15
Field
Description
Username |
Username. If you are logged in as the default user, the name is enable_1 (user EXEC) or enable_15 (privileged EXEC). |
Current privilege level |
Level from 0 to 15. Unless you configure local command authorization and assign commands to intermediate privilege levels, levels 0 and 15 are the only levels that are used. |
Current Mode/s |
Shows the access modes:
•P_UNPR—User EXEC mode (levels 0 and 1)
•P_PRIV—Privileged EXEC mode (levels 2 to 15)
•P_CONF—Configuration mode |