Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
36766
Views
20
Helpful
11
Replies

after enable aaa new-model then telnet prompt username needed?

Go to solution
chuang123
Level 1
Level 1

‎11-18-2012 12:02 PM - edited ‎03-07-2019 10:06 AM

I was testing on 802.1x function on Catalyst 2950.

the funtion itself work fine with my radius.

but after I have setup the aaa new-model, I have no access to my switch!!!

everytime I telnet it prompt me username, but I didn't create any user!!

can anyone tell me how to recover to the origianl status, just prompt to input password but not username needed, and with 802.1x enable ofcause.

thanks for the help!!

please see my partial config.

-----------------------------------------------------------------------------------------------

hostname sw2

!

aaa new-model

aaa authentication dot1x default group radius local

enable secret 5 $1$f6kq$RgfK0XFt3S9EoTG/DGZb81

!

ip subnet-zero

!

ip ssh time-out 120

ip ssh authentication-retries 3

!

!

spanning-tree mode rapid-pvst

no spanning-tree optimize bpdu transmission

!

interface FastEthernet0/9

switchport mode access

dot1x port-control auto

spanning-tree portfast

!

interface FastEthernet0/10

interface Vlan1

ip address 10.1.1.3 255.255.255.0

no ip route-cache

!

ip http server

radius-server host 10.1.1.100 auth-port 1812 acct-port 1813 key 1234

radius-server retransmit 3

!

line con 0

exec-timeout 0 0

line vty 0 4

password noriko

line vty 5 15

!

!

end

----------------------------------------------------------------------------

BRs,

Johnny

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9
In response to chuang123

‎11-18-2012 02:22 PM

hi,

try creating a separate instance for AAA authentication for your VTY lines using its line password.

Router(config)#aaa authentication login TELNET ?

  enable       Use enable password for authentication.

  group        Use Server-group

  krb5         Use Kerberos 5 authentication.

  krb5-telnet  Allow logins only if already authenticated via Kerberos V

               Telnet.

  line         Use line password for authentication.

  local        Use local username authentication.

  local-case   Use case-sensitive local username authentication.

  none         NO authentication.

Router(config)#aaa authentication login TELNET line

Router(config)#line vty 0 4

  WORD     Use an authentication list with this name.

  default  Use the default authentication list.

Router(config-line)#login authentication TELNET

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to jayeshtjayaraj

‎11-18-2012 08:18 PM

There have been several interesting suggestions. But I believe that John is the closest (though I will suggest something slightly different than his suggestion).

First let us consider what is the basic problem. Without aaa new-model the default for authentication (on console and on vty) is to use the line password. But when you enable aaa new-model then the default for authentication  becomes local - and this generates the prompt for a user name, and will check the entered user name against any locally configured user names and passwords.

When you configured aaa new-model and authentication dot1x then it set the default for authentication to use locally configured user ID and password. The suggestion from John to create a named authentication method and assign it to the vty would solve your issue on the vty (but not on the console). My suggestion is to create a default authentication which uses the line password. This will solve the issue on both the vty and the console. It might look something like this

aaa authentication login default line

That should get you  back to needing only to enter the line password on the console and on the vty and would not impact the dot1x authentication/

HTH

Rick

HTH

Rick

View solution in original post

11 Replies 11

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎11-18-2012 12:09 PM

If you didn't save the config, you can reboot the switch and it will revert back to the old config.

If you saved the config, than you need to access the switch using a console cable and create a user name and password.

HTH

0 Helpful

Go to solution
chuang123
Level 1
Level 1
In response to Reza Sharifi

‎11-18-2012 12:13 PM

I can access via console, but is anyway I can access it without input a username? since I am the only administrator,

it's kind of annoying to input a username, I just want to input the password.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to chuang123

‎11-18-2012 01:13 PM

You can try using the "no login" command and than issue "enable secret password" and see if the router let you in without any username.

HTH

0 Helpful

Go to solution
chuang123
Level 1
Level 1
In response to Reza Sharifi

‎11-19-2012 09:34 AM

thanks for the advise..

I took Richard's suggestion, it's only one line solve my issue!!

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to chuang123

‎11-18-2012 02:22 PM

hi,

try creating a separate instance for AAA authentication for your VTY lines using its line password.

Router(config)#aaa authentication login TELNET ?

  enable       Use enable password for authentication.

  group        Use Server-group

  krb5         Use Kerberos 5 authentication.

  krb5-telnet  Allow logins only if already authenticated via Kerberos V

               Telnet.

  line         Use line password for authentication.

  local        Use local username authentication.

  local-case   Use case-sensitive local username authentication.

  none         NO authentication.

Router(config)#aaa authentication login TELNET line

Router(config)#line vty 0 4

  WORD     Use an authentication list with this name.

  default  Use the default authentication list.

Router(config-line)#login authentication TELNET

Go to solution
chuang123
Level 1
Level 1
In response to johnlloyd_13

‎11-19-2012 09:35 AM

Dear John,

thanks for the suggestion, I've tested your comments, and it works flawless!!

also the suggestion from Richard is working, and even more simple!!

thanks alot!!!

BRs,

Johnny

0 Helpful

Go to solution
jayeshtjayaraj
Level 1
Level 1

‎11-18-2012 02:21 PM

Create a username and password in your radius server and try with that. Another option is, block the communication between the switch and your radius server. Then you can login with the local username and password configure in the switch.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to jayeshtjayaraj

‎11-18-2012 08:18 PM

There have been several interesting suggestions. But I believe that John is the closest (though I will suggest something slightly different than his suggestion).

First let us consider what is the basic problem. Without aaa new-model the default for authentication (on console and on vty) is to use the line password. But when you enable aaa new-model then the default for authentication  becomes local - and this generates the prompt for a user name, and will check the entered user name against any locally configured user names and passwords.

When you configured aaa new-model and authentication dot1x then it set the default for authentication to use locally configured user ID and password. The suggestion from John to create a named authentication method and assign it to the vty would solve your issue on the vty (but not on the console). My suggestion is to create a default authentication which uses the line password. This will solve the issue on both the vty and the console. It might look something like this

aaa authentication login default line

That should get you  back to needing only to enter the line password on the console and on the vty and would not impact the dot1x authentication/

HTH

Rick

HTH

Rick

Go to solution
chuang123
Level 1
Level 1
In response to Richard Burts

‎11-19-2012 09:37 AM

Dear Richard,

you are SUPER!!!  it really solve my issue, I was searching google for couple of hours without luck!!

and your suggestion just a line of command solve my issue!!

thank you very much!!

BRs,

Johnny

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to chuang123

‎11-19-2012 12:36 PM

Johnny

Thank you for the compliment. I am glad that our suggestions were able to give you a solution to your problem. It is interesting here that there is more than one solution that solves the problem. This is a good point for people to understand. Thank you for using the rating system to mark your question as resolved. It makes the forum more useful when people can read a question and can know that a solution was found. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
jasonhawaii1
Level 1
Level 1

‎02-13-2018 09:41 AM

You need to create enable secret password if you haven't and modify this line below from "local" to "enable". What that line means is that when your switch is unable to communicate with a radius server, it moves on to "local" (this is local user/pass). Since you did not config local user/pass, you are out of luck and you should factory reset your switch referring to user manual. However, changing the world local to enable will allow you to use the enable password if your switch is not able to communicate with the radius server for some reasons. Hope this helps.

 

FROM:

aaa authentication dot1x default group radius local

 

TO:

aaa authentication dot1x default group radius enable

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card