02-05-2018 12:55 AM - edited 03-12-2019 04:59 AM
i was replacing faulty device and faced below issue.
before putting device into production configured via console
1 .configured : enable secret 5 <string>
2.configured : username <> secret 5 <string>
3 .router#line console
router#login local
then i configured aaa new model , after pasting all aaa command lines , i coundlt execute anything even show commands was not working...
some can help me to understand what went wrong .. i configured login local for console before configuring aaa , is that could be a issue ?
Solved! Go to Solution.
02-08-2018 09:04 AM
I do not understand your response about what string you used. But if you were able to log out and then log in again using that ID then it indicates that the string was correct.
I am not sure why you got locked out from executing any commands. My guess is that it has something to do with the group cisco parameter in your commands. Ordinarily I would think that the parameter if-authenticated would prevent the lock out. But for some reason it did not. When you got locked out did you try to logout and then log back in? Perhaps it needed a new authentication after the configuration was done.
Getting locked out is one of the things to be cautious about when configuring aaa. I have a few observations about that:
1) First is to not copy run start until you have thoroughly tested the config changes. As you demonstrated a simple reboot/power cycle is the easy way to recover from a problem if the changes have not been saved.
2) When configuring aaa I frequently use the capability to schedule a reload using the command reload in X (guess at how long it will take to make the changes and add little margin). With the scheduled reload if your changes do lock you out then the scheduled reload will reboot and discard the changes. If the changes do not cause any problem then you simply cancel the scheduled reload. This is especially useful if you are configuring a device that is not local.
3) I would suggest not turning on authorization for the console until your changes are made and tested. By default aaa authorization works on vty connections (telnet or SSH) but not on console. So you can make changes, then test them using telnet or SSH, and if there is a problem then the console session should still work and allow you to fix the problem without requiring a reload/reboot.
aaa authorization console
Once the authorization commands have been tested then you can enable authorization for the console.
HTH
Rick
02-05-2018 01:07 AM
Hi there,
The aaa commands that you pasted in, was one of the aaa authorization default xxx?
If you changed that to anything but local, then you would have immediately affected the vty line you were logged in on.
I always have these in the aaa commands I paste in:
! aaa authentication login default local aaa authorization exec default local aaa authorization commands 15 default local !
cheers,
Seb.
02-05-2018 01:39 AM
Hi Rupik,
Thanks for responding
aaa authentication login default group cisco local
aaa authentication enable default group cisco enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group cisco if-authenticated
aaa authorization commands 0 default group cisco if-authenticated
aaa authorization commands 1 default group cisco if-authenticated
aaa authorization commands 15 default group cisco if-authenticated
aaa accounting update newinfo periodic 15
aaa accounting exec default start-stop group cisco
aaa accounting commands 15 default start-stop group cisco
aaa accounting system default start-stop group cisco
i was pasted above lines , and was into console... because router not in production
02-07-2018 01:01 PM
The original post emphasizes that login local was configured. Once you have entered aaa new-model then that over rides login local. If you are configuring aaa authentication to use local resources then it winds up with the same effect, but login local is no longer controlling the login process.
You indicate that you have done these
1 .configured : enable secret 5 <string>
2.configured : username <> secret 5 <string>
was the string that you used the encrypted value of the password or was the string that you used the clear text password?
HTH
Rick
02-08-2018 01:04 AM
02-08-2018 09:04 AM
I do not understand your response about what string you used. But if you were able to log out and then log in again using that ID then it indicates that the string was correct.
I am not sure why you got locked out from executing any commands. My guess is that it has something to do with the group cisco parameter in your commands. Ordinarily I would think that the parameter if-authenticated would prevent the lock out. But for some reason it did not. When you got locked out did you try to logout and then log back in? Perhaps it needed a new authentication after the configuration was done.
Getting locked out is one of the things to be cautious about when configuring aaa. I have a few observations about that:
1) First is to not copy run start until you have thoroughly tested the config changes. As you demonstrated a simple reboot/power cycle is the easy way to recover from a problem if the changes have not been saved.
2) When configuring aaa I frequently use the capability to schedule a reload using the command reload in X (guess at how long it will take to make the changes and add little margin). With the scheduled reload if your changes do lock you out then the scheduled reload will reboot and discard the changes. If the changes do not cause any problem then you simply cancel the scheduled reload. This is especially useful if you are configuring a device that is not local.
3) I would suggest not turning on authorization for the console until your changes are made and tested. By default aaa authorization works on vty connections (telnet or SSH) but not on console. So you can make changes, then test them using telnet or SSH, and if there is a problem then the console session should still work and allow you to fix the problem without requiring a reload/reboot.
aaa authorization console
Once the authorization commands have been tested then you can enable authorization for the console.
HTH
Rick
02-08-2018 09:12 AM
02-08-2018 02:48 PM
You are welcome. I am glad that my explanations were helpful. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions which have helpful information.
I hope to see you continue to be active in the forum.
HTH
Rick
02-08-2018 01:10 AM
02-08-2018 01:13 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide