cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8080
Views
0
Helpful
13
Replies

How to change the VPN password on a 1760

jtpryan12
Level 1
Level 1

I have just started supporting a client with a Cisco 1760 on site.  They also use the VPN on this device.  I can get to the web interface but for the life of me I cannot find out where I change the VPN password.  They just terminated an employee and I need to do this.  Can anybody point me in the right direction?  I can't believe how difficult this is proving to be.  I must be missing something obvious.

Thank You,

Jim

1 Accepted Solution

Accepted Solutions

Great to hear it's working and thanks for the update.

Pls kindly mark the post as answered so others can learn from it. Thank you.

View solution in original post

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

What is the VPN configured to authenticate the users to?

Local database on the router or external authentication server?

Can you pls share output of "sh run" from the router so it can be identified.

Jennifer,

Thank you for the reply.  I am assuming it is the local router as I can find no application on their server that might do it.  Be gentle with me and the commands, I am not a Cisco person and I'm not familiar with the commands.  From my brief interactions with Cisco devices I have learned to avoid them.  Just could never understand the paradigm they use. 

Is there a way to get you the information you need via the web interface or do I need to go in via terminal emulation?

Thanks again,

Jim

Jim can you get into the router via CLI?  If you can simply see if there are any users created on it for VPN you can run a command like this: "show runn | include user".

However I'm pretty sure for the VPN they might be using either the RADIUS or ACS.  You do not need any special application.  If you have his laptop you can probably find out how was he connecting and what user name he was using in that VPN client.

If that is the case then simply by disabling his account on the RADIUS or ACS server should work.  If the local router account is being used then you can run a command something like this:

username fired-user password new-password

If you want post a config after removing the passwords and IP addresses and one of us can look it up.

I can get to the cli and I can run that command:

BE1760#show runn | include user

username BEadmin privilege 15 password 7 0215550C2F505F2C

username BEuser privilege 0 password 7 1431005F02077B1E29

aaa authentication login userauthen local

crypto map clientmap client authentication list userauthen

Disconnect IMMEDIATELY as you are not an authorized user!

BE1760#

I cannot believe this is this convoluted.  I don't think there is a radius server, Each client is running the "Cisco Systems VPN Client".  God I hate these damn things, can't wait to get rid of it and put in a Sonicwall.

Enough of a rant.  Somebody leaves the company, you change the VPN password, This cannot be that hard, it's something that is done pretty regularly.

Anyway, if I'm stuck with the CLI, how can I do it there?

-Jim

Is any of the 2 users above the one that left? If they are, then you can just remove it using the "no" on that command.

eg: if you want to remove BEuser

no username BEuser

If none of it is the user that that particular user uses, then he/she probably just uses one of the 2 username above, and you can just change the password if you wish.

Thank you.  Everybody uses the same username, BEuser to connect.  When I connect on the web I am presented with the following:

___________________________________________________________________________________________

Show diagnostic log - display the diagnostic log.

Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

Show tech-support - display information commonly needed by tech support.

Extended Ping - Send extended ping commands.

QoS Device Manager - Configure and monitor QoS through the web interface.

VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through the web interface.

Security Device Manager (SDM) - Configure and monitor security features through the web interface.

____________________________________________________________________________________________

VDM is not installed

So I go to SDM

I then have the choices on the left of Overview, LAN, WAN, Firewall, VPN, Security Audit, and Reset to Factory Default,

OMG, while typing this I found what I need.  As only Cisco can, it is in a place that makes no sense (to me) Advanced Mode-->System Properties-->User Accounts. 

So you don't create VPN Users, you create Device users.  Go figure.  Anyway, I'll change it tonight and see if that works.

Thank you all for the help and putting up with my anti-Cisco rants

Thanks for the update..

GUI sometimes just doesn't make sense That's why command line is much easier for modification. Just have to type 1 line and you are done with the config.

Jim glad that you were able to find that out in the GUI.  And I'm sorry that your experience with Cisco has been not very friendly.  I have used Juniper, Sonicwall in the past along with Cisco and I can without any hesitation say that I'd go with Cisco any day.  I know the command line can be scary but once get used to it you'll see how easy it is to do things when it comes to Cisco.  For instance when I used to work with the Juniper Netscreens every time I had to change the IP on the VPN Gateway I had to first unbind the VPN tunnel, change the IP and then bind it again.  With Cisco it is simply running couple of commands.

Also setting up VPN's, VLAN's, trunking etc is so much easier and there are a whole lot more resources available to troubleshoot Cisco devices as compared to any other.  Cisco TAC is absolutely unbeatable. 

About your issue Cisco using the local users yes Cisco will either use local authentication and/or RADIUS, TACACS.  So if it is defined as the local then whatever local users are present will be able to authenticate. 

Wish you best of luck with everything again we are glad that you were able to resolve your issue

NOTE: You might want to remove the password string from your post as it can be decrypted easily.  Instead of using the "password" keyword it is better to use "secret"

username vpnuser secret new-password-encrypted

Thank you.

Now, I may have another issue as it does not seem to be working.  After I change the password is there something I need to do to write it to the device?

Jim

Well, I'm stumped.  I changed the password via the method above then I wrote it to the router running config and startup config and now I can't connect.  Of course this means I need to go to the customer site first thing in the morning so I can get to the device.

The odd part is there is another account on there that I didn't touch, and admin account, and I can't get on with it either.

Is there anything I need to do at the client side?

Jim

Nope, nothing else but just enter the new password on the client side.

Are you getting prompt when you try to connect to authenticate? or it doesn't even connect and prompts you for authentication?

Jennifer,

Thank you.  Here was the problem.  For some reason when I did get back on via the other account (no idea why the suddenly worked, maybe I was fat fingering the pw) I found the BEuser account who's password I changed was completely gone.  I recreated it with the new password, wrote it out as before and now it all works.

Thank you all again for the help.

Jim

Great to hear it's working and thanks for the update.

Pls kindly mark the post as answered so others can learn from it. Thank you.