Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
5
Replies

TACACS+ lockout

Rutger Blom
Level 1
Level 1

‎02-02-2005 05:03 AM - edited ‎07-04-2021 10:24 AM

Situation:

Downgraded AP1100 because of problems with the newest IOS.

After the downgrade the TACACS+ key seems to be wrong/corrupted on the AP. Our ACS says "Key mismatch". I can't get into the AP1100 anymore.

What can I do?

Kind regards,

Rutger

Labels:
0 Helpful
5 Replies 5

paddyxdoyle
Level 6
Level 6

‎02-02-2005 06:58 AM

Did you use a fallback method for TACACS? i.e. servers authentication and then local.

If so shutdown the switch port to the ACS server or stick a temporary access-list somewhere in transit so the AP can't see the ACS server. Your login should then default to local username and password.

Alternatively you might be able to use SNMP to manipultate your configuration. i.e. download it to a TFTP server, change the config, upload it and then reload the router.

This is certainly possible on a switch router and i believe poss on an AP if you are using SNMP with RW strings and permit reloads via SNMP.

Check out the following link for futher information.

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094aa6.shtml

Also, are you using TACACS for both vty access and HTTP access to your AP, perhaps you can still either telnet or http on to the AP??

HTH

PD

0 Helpful

Rutger Blom
Level 1
Level 1
In response to paddyxdoyle

‎02-02-2005 09:30 AM

Hi,

Yes we do use a fallback method "local".

When I shutdown the ACS server (i.e. make it unavailable to the AP) and run SSH towards the AP I can login with the local user. For some reason when I try to go into the "enable" mode I get an errormessage back saying "Error in authentication".

I will try with SNMP and report back to you.

We have TACACS for HTTP(s) authentication too. After the downgrade neither HTTP nor HTTPS is working anymore.

Thanks for your quick reply.

Rutger

0 Helpful

c.fuller
Level 1
Level 1

‎02-03-2005 12:43 PM

one thing I have done to get the AP back to local authentication is just go into the ACS and change

the ip address of the AP to something that doesn't

exist. This allows me to telnet to the AP and use the "backdoor" account with the regular enable password. Not sure why your's is not letting that happen. Seems like it is still communicating with the ACS with an error like that. Perhaps something went wrong with the upgrade? Let us know how you make out.

0 Helpful

Rutger Blom
Level 1
Level 1
In response to c.fuller

‎02-04-2005 12:01 AM

Neither SNMP nor the backdoor works no matter what I try on the ACS.

I can get into the "disabled" mode. So let's assume the worst. Is there anyway I could still save my configuration? To make things a bit worse. My automated TFTP backup hasn't been working for the last weeks :-(

With a configuration-file I can at least restore the APs quite fast.

Rutger

0 Helpful

Rutger Blom
Level 1
Level 1
In response to c.fuller

‎02-07-2005 04:46 AM

Thanks for all your suggestions. Nothing worked and I was forced to go through a reset procedure, losing all my configs.

I think somehow the backdoor "local" wasn't configured right.

Regards,

Rutger

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card