«

Hi,

I managed to get myself locked out of a remote AS5300 with IOS 12.3
while configuring AAA and RADIUS.
Basically I'm new to AAA.
Before I started my AAA adventure, I usually telneted to the AS and got
a 'password' prompt.
Now I get a 'username' prompt, but I don't have any 'users' defined
locally!
If I dial into the AS with ppp, it correctly requests the RADIUS server
which correctly sends an ACCEPT. However, the dialup connection still
times-out (the RADIUS server responds from a different IP address than
the request came in on so I think that might be the prob). Anyway this
is not so important right now, because right now I'm locked out and
need to get back in.
If I telnet to the AS, I get the 'username' prompt and nomatter what I
write, it does not send any RADIUS requests (which I didn't want it to
anyway).
I also managed to save the configuration before testing it so I can't
even clear that configuration with a powercycle..., and what's worse,
the router is located 200km from where I am...

Is there a default username defined?

The config for the VTY is:
line vty 0 4
password [sanitized]
login
autoselect during-login
autoselect ppp

Right now I just want to be able to telnet back into it. Is there any
way at all?

Thanks alot.
Regards,
Tobias

wrote:
> Hi,
>
> I managed to get myself locked out of a remote AS5300 with IOS 12.3
> while configuring AAA and RADIUS.
> Basically I'm new to AAA.
> Before I started my AAA adventure, I usually telneted to the AS and got
> a 'password' prompt.
> Now I get a 'username' prompt, but I don't have any 'users' defined
> locally!
> If I dial into the AS with ppp, it correctly requests the RADIUS server
> which correctly sends an ACCEPT. However, the dialup connection still
> times-out (the RADIUS server responds from a different IP address than
> the request came in on so I think that might be the prob). Anyway this
> is not so important right now, because right now I'm locked out and
> need to get back in.
> If I telnet to the AS, I get the 'username' prompt and nomatter what I
> write, it does not send any RADIUS requests (which I didn't want it to
> anyway).
> I also managed to save the configuration before testing it so I can't
> even clear that configuration with a powercycle..., and what's worse,
> the router is located 200km from where I am...
>
> Is there a default username defined?
>
> The config for the VTY is:
> line vty 0 4
> password [sanitized]
> login
> autoselect during-login
> autoselect ppp
>
> Right now I just want to be able to telnet back into it. Is there any
> way at all?

I am not familiar with AS series but I think that if you haven't saved
the
config then getting the unit switched off and on again
will restore the old config.

Next time "reload in xx" - saved me many a time.

Don't forget that the router is going to reload though.
I've done that too

Other possibilities:-
Maybe you have more vty lines configured, if you were able to occupy
0 - 4 then maybe vty 5 would let you in?

http?
I have locked myself out of telnet and got in and fixed it via http.
Not planned, just poor/no security design.

Hi,

Well I saved the config before testing! silly me. So switching off/on
is not going to help.
Also http is turned off
How would I use vty5?? I just telnet to the machine? I have opened more
than 5 telnet sessions, they all ask for 'Username'.

I'll remember the 'reload in xx' command! that could be really usefull.

Thanks.



wrote:
> I am not familiar with AS series but I think that if you haven't saved
> the
> config then getting the unit switched off and on again
> will restore the old config.
>
> Next time "reload in xx" - saved me many a time.
>
> Don't forget that the router is going to reload though.
> I've done that too
>
> Other possibilities:-
> Maybe you have more vty lines configured, if you were able to occupy
> 0 - 4 then maybe vty 5 would let you in?
>
> http?
> I have locked myself out of telnet and got in and fixed it via http.
> Not planned, just poor/no security design.

In article <. com>, () writes:
| Hi,
|
| I managed to get myself locked out of a remote AS5300 with IOS 12.3
| while configuring AAA and RADIUS.
| Basically I'm new to AAA.
| Before I started my AAA adventure, I usually telneted to the AS and got
| a 'password' prompt.
| Now I get a 'username' prompt, but I don't have any 'users' defined
| locally!

Did you expect to preserve the password-only login semantics? If so you
should have done something like:

aaa authentication login default line

| If I dial into the AS with ppp, it correctly requests the RADIUS server
| which correctly sends an ACCEPT. However, the dialup connection still
| times-out (the RADIUS server responds from a different IP address than
| the request came in on so I think that might be the prob). Anyway this
| is not so important right now, because right now I'm locked out and
| need to get back in.
| If I telnet to the AS, I get the 'username' prompt and nomatter what I
| write, it does not send any RADIUS requests (which I didn't want it to
| anyway).

Sounds like you made the login authentication local (in the sense of
username/password entries rather than line password entries) and don't
have any of the former. I don't think there is any way to avoid having
someone visit the device.

A tip for next time: always initiate a second telnet session to test your
ability to login and enable privileges after you make an aaa change and
before you close the initial session.

It would be nice is someone compiled a list of:

-The default values of all the aaa lists if you merely enable aaa new-
model without specifying anything else.

-The set of lists necessary to make the behavior with new-model enabled as
close as possible to the behavior without aaa enabled. The above login line
is a good start, but I suspect there may be others--at least if you want to
avoid warnings when enabling chap for ppp.

Dan Lanciani
ddl@danlan.*com

Dan Lanciani wrote:
> In article <. com>, () writes:
> | Hi,
> |
> | I managed to get myself locked out of a remote AS5300 with IOS 12.3
> | while configuring AAA and RADIUS.
> | Basically I'm new to AAA.
> | Before I started my AAA adventure, I usually telneted to the AS and got
> | a 'password' prompt.
> | Now I get a 'username' prompt, but I don't have any 'users' defined
> | locally!
>
> Did you expect to preserve the password-only login semantics? If so you
> should have done something like:
>
> aaa authentication login default line
>
> | If I dial into the AS with ppp, it correctly requests the RADIUS server
> | which correctly sends an ACCEPT. However, the dialup connection still
> | times-out (the RADIUS server responds from a different IP address than
> | the request came in on so I think that might be the prob). Anyway this
> | is not so important right now, because right now I'm locked out and
> | need to get back in.
> | If I telnet to the AS, I get the 'username' prompt and nomatter what I
> | write, it does not send any RADIUS requests (which I didn't want it to
> | anyway).

> A tip for next time: always initiate a second telnet session to test your
> ability to login and enable privileges after you make an aaa change and
> before you close the initial session.

Yes that is the way.

The following windows command will start 6 sessions which if you had
more sessions configured
would take up the first 5 and let you try to log on to the sixth.

C:\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29

Don't delay since the failed sessions will time out quite quickly.
But not too quickly.

I think that it was some catalyst switches that came by default with
something like

vty 0 4
stuff

vty 5 15
other-stuff

I have seem some people end up with routers so configured
and with security such as access-class, login, only applied to the
first 5 (i.e. 0-4).


Easy to try and worth missing out on a 400 mile drive

Here is what it looks like in action:
C:\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29

C:\>start cmd /c telnet 172.17.0.29
C:\>start cmd /c telnet 172.17.0.29
C:\>start cmd /c telnet 172.17.0.29
C:\>start cmd /c telnet 172.17.0.29
C:\>start cmd /c telnet 172.17.0.29
C:\>start cmd /c telnet 172.17.0.29

wrote:
> Dan Lanciani wrote:
> > In article <. com>, () writes:
> > | Hi,
> > |
> > | I managed to get myself locked out of a remote AS5300 with IOS 12.3
> > | while configuring AAA and RADIUS.
> > | Basically I'm new to AAA.
> > | Before I started my AAA adventure, I usually telneted to the AS and got
> > | a 'password' prompt.
> > | Now I get a 'username' prompt, but I don't have any 'users' defined
> > | locally!
> >
> > Did you expect to preserve the password-only login semantics? If so you
> > should have done something like:
> >
> > aaa authentication login default line
> >
> > | If I dial into the AS with ppp, it correctly requests the RADIUS server
> > | which correctly sends an ACCEPT. However, the dialup connection still
> > | times-out (the RADIUS server responds from a different IP address than
> > | the request came in on so I think that might be the prob). Anyway this
> > | is not so important right now, because right now I'm locked out and
> > | need to get back in.
> > | If I telnet to the AS, I get the 'username' prompt and nomatter what I
> > | write, it does not send any RADIUS requests (which I didn't want it to
> > | anyway).
>
> > A tip for next time: always initiate a second telnet session to test your
> > ability to login and enable privileges after you make an aaa change and
> > before you close the initial session.
>
> Yes that is the way.
>
> The following windows command will start 6 sessions which if you had
> more sessions configured
> would take up the first 5 and let you try to log on to the sixth.
>
> C:\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29
>
> Don't delay since the failed sessions will time out quite quickly.
> But not too quickly.
>
> I think that it was some catalyst switches that came by default with
> something like
>
> vty 0 4
> stuff
>
> vty 5 15
> other-stuff
>
> I have seem some people end up with routers so configured
> and with security such as access-class, login, only applied to the
> first 5 (i.e. 0-4).
>
>
> Easy to try and worth missing out on a 400 mile drive
>
> Here is what it looks like in action:
> C:\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29
>
> C:\>start cmd /c telnet 172.17.0.29
> C:\>start cmd /c telnet 172.17.0.29
> C:\>start cmd /c telnet 172.17.0.29
> C:\>start cmd /c telnet 172.17.0.29
> C:\>start cmd /c telnet 172.17.0.29
> C:\>start cmd /c telnet 172.17.0.29

I should have mentioned, if you are going to be managing routers/
firewalls a long was away you /need/ some kind of out of band
management.
Traditionally a modem on the AUX port.

Hi, Thanks,
I tried the many telnet sessions but it refuses the 6th connection
Oh well, guess I know what I'm doing this weekend....
I beleive I did do the: aaa authentication login default local
where I should have used the 'line' keyword instead. was too eager to
get it working and didn't realize the implication.
It would be really nice if cisco would build in a warning to these kind
of commands that have the possibillity of locking someone out. A little
more intelligence please, cisco...
In the config guides it doesn't warn about it anywhere AFAIK, so I
suspect this is a common aaa beginner error.

Thanks anyway for ideas.
Cheers,
Tobias