help, got locked out when configuring AAA and RADIUS

I am not familiar with AS series but I think that if you haven't saved the config then getting the unit switched off and on again will restore the old config.

Next time "reload in xx" - saved me many a time.

Don't forget that the router is going to reload though. I've done that too:-(

Other possibilities:- Maybe you have more vty lines configured, if you were able to occupy

http? I have locked myself out of telnet and got in and fixed it via http. Not planned, just poor/no security design.

Hi,

Well I saved the config before testing! silly me. So switching off/on is not going to help. Also http is turned off :-( How would I use vty5?? I just telnet to the machine? I have opened more than 5 telnet sessions, they all ask for 'Username'.

I'll remember the 'reload in xx' command! that could be really usefull.

Thanks.

snipped-for-privacy@hotmail.co.uk wrote:

In article , snipped-for-privacy@gmail.com ( snipped-for-privacy@gmail.com) writes: | Hi, | | I managed to get myself locked out of a remote AS5300 with IOS 12.3 | while configuring AAA and RADIUS. | Basically I'm new to AAA. | Before I started my AAA adventure, I usually telneted to the AS and got | a 'password' prompt. | Now I get a 'username' prompt, but I don't have any 'users' defined | locally!

Did you expect to preserve the password-only login semantics? If so you should have done something like:

aaa authentication login default line

| If I dial into the AS with ppp, it correctly requests the RADIUS server | which correctly sends an ACCEPT. However, the dialup connection still | times-out (the RADIUS server responds from a different IP address than | the request came in on so I think that might be the prob). Anyway this | is not so important right now, because right now I'm locked out and | need to get back in. | If I telnet to the AS, I get the 'username' prompt and nomatter what I | write, it does not send any RADIUS requests (which I didn't want it to | anyway).

Sounds like you made the login authentication local (in the sense of username/password entries rather than line password entries) and don't have any of the former. I don't think there is any way to avoid having someone visit the device.

A tip for next time: always initiate a second telnet session to test your ability to login and enable privileges after you make an aaa change and before you close the initial session.

It would be nice is someone compiled a list of:

-The default values of all the aaa lists if you merely enable aaa new- model without specifying anything else.

-The set of lists necessary to make the behavior with new-model enabled as close as possible to the behavior without aaa enabled. The above login line is a good start, but I suspect there may be others--at least if you want to avoid warnings when enabling chap for ppp.

Dan Lanciani ddl@danlan.*com

Yes that is the way.

The following windows command will start 6 sessions which if you had more sessions configured would take up the first 5 and let you try to log on to the sixth.

C:\\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29

Don't delay since the failed sessions will time out quite quickly. But not too quickly:-).

I think that it was some catalyst switches that came by default with something like

vty 0 4 stuff

vty 5 15 other-stuff

I have seem some people end up with routers so configured and with security such as access-class, login, only applied to the first 5 (i.e. 0-4).

Easy to try and worth missing out on a 400 mile drive:-)

Here is what it looks like in action: C:\\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29

C:\\>start cmd /c telnet 172.17.0.29 C:\\>start cmd /c telnet 172.17.0.29 C:\\>start cmd /c telnet 172.17.0.29 C:\\>start cmd /c telnet 172.17.0.29 C:\\>start cmd /c telnet 172.17.0.29 C:\\>start cmd /c telnet 172.17.0.29

I should have mentioned, if you are going to be managing routers/ firewalls a long was away you /need/ some kind of out of band management. Traditionally a modem on the AUX port.

Hi, Thanks, I tried the many telnet sessions but it refuses the 6th connection :-( Oh well, guess I know what I'm doing this weekend.... I beleive I did do the: aaa authentication login default local where I should have used the 'line' keyword instead. was too eager to get it working and didn't realize the implication. It would be really nice if cisco would build in a warning to these kind of commands that have the possibillity of locking someone out. A little more intelligence please, cisco... In the config guides it doesn't warn about it anywhere AFAIK, so I suspect this is a common aaa beginner error.

Thanks anyway for ideas. Cheers, Tobias