Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2664
Views
0
Helpful
3
Replies

Unable to access Cisco 2960X after the AAA new model command

Go to solution
Robert00509
Level 1
Level 1

‎01-15-2020 05:49 AM

Hello,

 

I am facing a big problem.

 

By following a cisco procedure to set up the secure copy, I typed the following commands on my switch:

 

1. Enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default group tacacs +
5. aaa authorization exec default group tacacs +
6. ip scp server enable


Now, I can no longer connect to my switch at all. In ssh, all user accounts with privileges 15 get an "access denied". I also tried in console port, but it loops on "% authentication failed".

 

I don't know what to do anymore, I can try to restart the switches, but I don't know if I made a write memory before.

 

According to several forum readings on this subject, the only way is to break the switch.

 

What do you think ? Have you been faced with this problem? Do you have a better solution?

 

Thank you in advance and good day !

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cmarva
Level 4
Level 4

‎01-15-2020 06:03 AM

are those the ONLY commands you put in? I mean, and not to souncd condescending but you did define tacacs servers, correct?

also, and this is from past experience and going by memory at this point since I don't have my historical notes handy, I think you need an additional line or two:

 

aaa authentication enable default group tacacs enable

aaa authorization console

aaa authorization config-commands

aaa authorization commands 15 default group tacacs

 

and it's usually a good idea to use local as fallback so that if you get into this situation all you have to do is take the switch off the network for a few minutes and you should be able to get into it via a local account.

 

but at this point, yeah, I think you need to go through the password recovery procedure to get back into it and get things fixed.

View solution in original post

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎01-15-2020 06:14 AM

Hi @Robert00509 

 

Query:

 

When you set up AAA, did you get to enter this command?

Switch(config)# tacacs-server host <tacacs server ip>

 If you entered it, then you can configure a tacacs server and assign it the configured ip, add a user on the server and try.

If you did not indicate a tacacs server, then, I think the only option is to make a factory recovery.

 

Regards

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_0101.html

http://notthenetwork.me/blog/2013/05/28/reset-a-cisco-2960-switch-to-factory-default-settings/

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cmarva
Level 4
Level 4

‎01-15-2020 06:03 AM

are those the ONLY commands you put in? I mean, and not to souncd condescending but you did define tacacs servers, correct?

also, and this is from past experience and going by memory at this point since I don't have my historical notes handy, I think you need an additional line or two:

 

aaa authentication enable default group tacacs enable

aaa authorization console

aaa authorization config-commands

aaa authorization commands 15 default group tacacs

 

and it's usually a good idea to use local as fallback so that if you get into this situation all you have to do is take the switch off the network for a few minutes and you should be able to get into it via a local account.

 

but at this point, yeah, I think you need to go through the password recovery procedure to get back into it and get things fixed.

0 Helpful

Go to solution
Robert00509
Level 1
Level 1
In response to cmarva

‎01-15-2020 07:15 AM

Thank you for your answer. Unfortunately, I don't remember typing these commands..

 

I think I have no choice, I'll have go through the password recovery procedure to get back into it and get things fixed.

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎01-15-2020 06:14 AM

Hi @Robert00509 

 

Query:

 

When you set up AAA, did you get to enter this command?

Switch(config)# tacacs-server host <tacacs server ip>

 If you entered it, then you can configure a tacacs server and assign it the configured ip, add a user on the server and try.

If you did not indicate a tacacs server, then, I think the only option is to make a factory recovery.

 

Regards

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_0101.html

http://notthenetwork.me/blog/2013/05/28/reset-a-cisco-2960-switch-to-factory-default-settings/

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card