cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7973
Views
0
Helpful
19
Replies

I am logged out after "enable secret" on WS-4507R

ashu.desai
Level 1
Level 1

Here's my Cisco version

* Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9K91S-M), Version 12.2(25)EWA14, RELEASE SOFTWARE (fc1)


cisco WS-C4507R (MPC8245) processor (revision 10) with 262144K bytes of memory

Processor board ID FOX09160247

MPC8245 CPU at 266Mhz, Supervisor II+

Last reset from PowerUp

6 Virtual Ethernet interfaces

244 Gigabit Ethernet interfaces

511K bytes of non-volatile configuration memory.

Configuration register is 0x2

Brief description of the problem:

--------------------------------------------

I added two users -

* username admin priv 15 password password1

* username admin2 secret secret1

* username admin2 priv 15

This made the total number of usernames 4 - from top in the order that could be seen from "sh run"

* cna

* webadmin

* admin

* admin1

After this, I enabled secret by

#enable secret secret2 (password)

Now, when I try to telnet in (ssh never worked, not sure if supported on this version)

* I can't log in as admin or admin1 at all. I do not remember password for username cna. The only thing I can do that works is "webadmin" which takes me to the login prompt.

switch1>

Now when I do "enable" (or "enable 15"), and try entering any/all password i remember, I get

% Access denied

Can someone please tell me how to get over this hump? I am trying to read "Password recovery" - I am just not sure what is the safest way to get back in "without having to reset the config". I can't wait for too long, we may need config changes very soon and without the Priv Exec mode, I am SOL.

Thank you for your efforts.

19 Replies 19

rfalconer.sffcu
Level 3
Level 3

Is AAA configured to use the local users?

Is there a password configured on the line vty?

I don't think AAA is configured, frankly don't remember about the pwd on line vty.

I do know that when it was working fine -- only telnet worked, and when we used to log in, we were not asked username.

Only password to log in, and then enable password after that.

Then I added the username, and it all went downhill...

When you connect via telnet, does it prompt you for a username?   (BTW, you have K9 version of code so SSH is possible)

Do you have physical access to the switch to connect via console?

With SSH I get "connection refused".

With serial console - I get the User mode "switch>"

With telnet I need to enter username to get to the User mode.

However, after that, it's the same - no matter what I try as my "enable" password - it keeps giving me

% Access Denied

Did you maybe typo the secret when you entered it?

Unfortunately, it sounds like you may need to do a password reset.

Or, if you didn't save the config after making the username changes, just reload the switch. The config will revert to the last saved copy.

Of course, either of these is a big impact on production.

There are a few easy steps that need to be taken to enable SSH. You can do a quick search after you regain control of the switch.

No, I just entered a username priv 15 password, and even then I could not log in as the username I entered. I could only enter as webadmin.

So I created another username secret password, username priv 15. enable secret.

Then I tried again. but this time, i couldn't log in as webadmin either! Well I can in the User mode, but not in enable one.

So I have a feeling it's the enable secret that must have screwed it up. The thing is saved, in fact I did "wr mem" a few times!!!

I have input telnet, I guess I can change it to ssh. I have always been worried if I do it, would it screw it up...

I think password recovery is the only thing, which means reboot

I have read about it, but never actually done it, so I just hope it wont blow off my config else I am in deep trouble, with my 48 port x 7 modules...

I've done many password recoveries. As long as you follow the process for your switchtype precisely it should be fine. Make sure to read each step closely and take your time.

You can initially make the input type 'any' so that telnet or SSH will work. You also need to make sure a domain name is configured, generate a crypto key and configure AAA. Usernames are needed for SSH.

It looks like you have a sup II+ so the second link would be the one to use.

Note the tip at the beginning:

Tip:

Configuration of the switch is not lost if the procedure is followed           as mentioned. As a best practice, Cisco recommends that you have a backup copy           of the configuration of all Cisco devices at the TFTP server or a Network           Management server.

Do you have Smartnet on this device? It's probably a good idea to call TAC and verify that you've done everything possible to recover the passwords. They can also guide you through a recover process if you want.

No I don't.

I am not sure about backup of the config. At this stage, without being able to get into the enable mode, is it possible for me to back this up?

I doubt it's possible if you don't have any credentials. You need enable to run the copy commands and external tools will need a logon.

OK so I am now able to get in, thanks to the CNA software!!!

I made a few changes, took away the usernames, and entered

username admin priv 15 secret xxxxx

I am able to get in - however I have a few bugs.

I still somehow get in on the User mode, and have to enter the enable password. I did enable secret - even then it keeps asking me about the enable password - so basically I am entering the password twice.

I also changed the line vty 0 4

line vty 0 4

transport input all

I did notice I have the following:

aaa new-model
AND
aaa session-id common

I also noticed that even though I changed the line vty - it still shows me (sh run) --

line vty 0 4

password 7 01170708521F15

I did manage to get the SSH turned on, however, it bugs me that I have to enter the password twice...

Are there any other AAA entries?

What is the configuration on the local console line?

If SSH is working, you can change the transport input to ssh instead of all. This will disable telnet access.

If you set up AAA correctly, you won't have to enter passwords more than once. You can do a search on AAA with a local database and it will provide the steps. Again, you need to be careful when doing this because it leads to a lot of lockouts.

Bob,

Thank you for your help. I did a "no aaa new-model" and then went to the vty to do a login local. THEN it allowed me to change the input to SSH.

I am finally good. As a bit of cleaning up and best practices, I have given a different username to another person who may want to log in to just see what/where everything is without configuring it.

Do you know how to have this person change his own password even if he is NOT priv 15?

username user2 privilege 2 password 7 03075218050061

privilege interface level 2 ip address

privilege interface level 2 sh run

privilege interface level 2 desc

privilege interface level 2 switchport

privilege configure level 2 interface

privilege configure level 2 username

privilege configure level 2 password

privilege exec level 2 show running-config

privilege exec level 2 sh run

privilege exec level 2 show interfaces

privilege exec level 2 username

privilege exec level 2 configure terminal

However he is unable to change his password. Any way to achieve this?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: