Solved: Re: C2960x Privileged EXEC access denied

tim.johnston · ‎06-18-2019

Hello,

I recently upgraded all (3) of my WS-C2960X-48LPS-L switches to 15.2(4)E7 with web management. 2 on-site with me, and 1 on a remote site over 4 hours away.

I've not used the gui very much before, so I logged into it during troubleshooting of a connectivity issue to see if there would be any useful information that wasn't jumping out at me in ssh. There was not, while I was poking around the gui, my ssh session timed out. I now I get access denied to Privileged EXEC when connecting via ssh.

I had this same thing happen to the same model switch on-site where I am, and I was able to get it to work again by unplugging the power and plugging it back in. I was about to perform the password recovery, when I read on a forum that my web session may be causing the issue, and a reload might correct it.

For the switch at the remote site; I had a person stay after hours and do the same, when reloading via the web gui bared no fruit, we proceeded with pulling the power, but alas no joy was to be had.

My credentials still work to get to User EXEC, and the same for the other privilege 15 account, but not Privileged EXEC.

Can anyone advise on a method to get access besides the password recovery method? I need to make changes to a port, and the gui just doesn't have the options I need available.

I'm beginning to regret that I loaded the gui at this point, but I digress...

Thank you in advance for any assistance thrown my way. :-)

tim.johnston · ‎06-18-2019

I figured it out.

I did not have the original enable password, the device was setup by a consultant, and my user account had privilege 15, and I've not needed it until now.

I opened the Network Assistant as it has rw access, I went to the switch properties and set a new enable password.

I logged in via ssh, and used my privilege 15 user account, and was given User EXEC mode.

Typed enable, entered the new password I just set, and now have Privileged EXEC prompt.

View solution in original post

Seb Rupik · ‎06-18-2019

Hi there,

What do the AAA methods on these switches look like? If you are using TACACS or RADIUS and have configured a local fallback in the AAA AuthC method then I suggest creating an ACL on the interface which is connected to your ACS/ ISE/ NPS server to block authentication for that particular switch. This should force the switch (if configured) to fallback to using locally stored secret.

cheers,

Seb.

tim.johnston · ‎06-18-2019

username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username myuser privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common

tim.johnston · ‎06-18-2019

I figured it out.

I did not have the original enable password, the device was setup by a consultant, and my user account had privilege 15, and I've not needed it until now.

I opened the Network Assistant as it has rw access, I went to the switch properties and set a new enable password.

I logged in via ssh, and used my privilege 15 user account, and was given User EXEC mode.

Typed enable, entered the new password I just set, and now have Privileged EXEC prompt.