help, got locked out when configuring AAA and RADIUS

Discussion in 'Cisco' started by nsa.usa, Sep 22, 2006.

  1. nsa.usa

    nsa.usa Guest

    Hi,

    I managed to get myself locked out of a remote AS5300 with IOS 12.3
    while configuring AAA and RADIUS.
    Basically I'm new to AAA.
    Before I started my AAA adventure, I usually telneted to the AS and got
    a 'password' prompt.
    Now I get a 'username' prompt, but I don't have any 'users' defined
    locally!
    If I dial into the AS with ppp, it correctly requests the RADIUS server
    which correctly sends an ACCEPT. However, the dialup connection still
    times-out (the RADIUS server responds from a different IP address than
    the request came in on so I think that might be the prob). Anyway this
    is not so important right now, because right now I'm locked out and
    need to get back in.
    If I telnet to the AS, I get the 'username' prompt and nomatter what I
    write, it does not send any RADIUS requests (which I didn't want it to
    anyway).
    I also managed to save the configuration before testing it so I can't
    even clear that configuration with a powercycle..., and what's worse,
    the router is located 200km from where I am...

    Is there a default username defined?

    The config for the VTY is:
    line vty 0 4
    password [sanitized]
    login
    autoselect during-login
    autoselect ppp

    Right now I just want to be able to telnet back into it. Is there any
    way at all?

    Thanks alot.
    Regards,
    Tobias
     
    nsa.usa, Sep 22, 2006
    #1
    1. Advertisements

  2. nsa.usa

    Bod43 Guest

    I am not familiar with AS series but I think that if you haven't saved
    the
    config then getting the unit switched off and on again
    will restore the old config.

    Next time "reload in xx" - saved me many a time.

    Don't forget that the router is going to reload though.
    I've done that too:-(

    Other possibilities:-
    Maybe you have more vty lines configured, if you were able to occupy
    0 - 4 then maybe vty 5 would let you in?

    http?
    I have locked myself out of telnet and got in and fixed it via http.
    Not planned, just poor/no security design.
     
    Bod43, Sep 22, 2006
    #2
    1. Advertisements

  3. nsa.usa

    nsa.usa Guest

    Hi,

    Well I saved the config before testing! silly me. So switching off/on
    is not going to help.
    Also http is turned off :-(
    How would I use vty5?? I just telnet to the machine? I have opened more
    than 5 telnet sessions, they all ask for 'Username'.

    I'll remember the 'reload in xx' command! that could be really usefull.

    Thanks.
     
    nsa.usa, Sep 22, 2006
    #3
  4. nsa.usa

    Dan Lanciani Guest

    | Hi,
    |
    | I managed to get myself locked out of a remote AS5300 with IOS 12.3
    | while configuring AAA and RADIUS.
    | Basically I'm new to AAA.
    | Before I started my AAA adventure, I usually telneted to the AS and got
    | a 'password' prompt.
    | Now I get a 'username' prompt, but I don't have any 'users' defined
    | locally!

    Did you expect to preserve the password-only login semantics? If so you
    should have done something like:

    aaa authentication login default line

    | If I dial into the AS with ppp, it correctly requests the RADIUS server
    | which correctly sends an ACCEPT. However, the dialup connection still
    | times-out (the RADIUS server responds from a different IP address than
    | the request came in on so I think that might be the prob). Anyway this
    | is not so important right now, because right now I'm locked out and
    | need to get back in.
    | If I telnet to the AS, I get the 'username' prompt and nomatter what I
    | write, it does not send any RADIUS requests (which I didn't want it to
    | anyway).

    Sounds like you made the login authentication local (in the sense of
    username/password entries rather than line password entries) and don't
    have any of the former. I don't think there is any way to avoid having
    someone visit the device.

    A tip for next time: always initiate a second telnet session to test your
    ability to login and enable privileges after you make an aaa change and
    before you close the initial session.

    It would be nice is someone compiled a list of:

    -The default values of all the aaa lists if you merely enable aaa new-
    model without specifying anything else.

    -The set of lists necessary to make the behavior with new-model enabled as
    close as possible to the behavior without aaa enabled. The above login line
    is a good start, but I suspect there may be others--at least if you want to
    avoid warnings when enabling chap for ppp.

    Dan Lanciani
    [email protected]*com
     
    Dan Lanciani, Sep 22, 2006
    #4
  5. nsa.usa

    Bod43 Guest

    Yes that is the way.

    The following windows command will start 6 sessions which if you had
    more sessions configured
    would take up the first 5 and let you try to log on to the sixth.

    C:\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29

    Don't delay since the failed sessions will time out quite quickly.
    But not too quickly:).

    I think that it was some catalyst switches that came by default with
    something like

    vty 0 4
    stuff

    vty 5 15
    other-stuff

    I have seem some people end up with routers so configured
    and with security such as access-class, login, only applied to the
    first 5 (i.e. 0-4).


    Easy to try and worth missing out on a 400 mile drive:)

    Here is what it looks like in action:
    C:\>for /L %a IN (1, 1, 6) DO start cmd /c telnet 172.17.0.29

    C:\>start cmd /c telnet 172.17.0.29
    C:\>start cmd /c telnet 172.17.0.29
    C:\>start cmd /c telnet 172.17.0.29
    C:\>start cmd /c telnet 172.17.0.29
    C:\>start cmd /c telnet 172.17.0.29
    C:\>start cmd /c telnet 172.17.0.29
     
    Bod43, Sep 23, 2006
    #5
  6. nsa.usa

    Bod43 Guest

    I should have mentioned, if you are going to be managing routers/
    firewalls a long was away you /need/ some kind of out of band
    management.
    Traditionally a modem on the AUX port.
     
    Bod43, Sep 23, 2006
    #6
  7. nsa.usa

    nsa.usa Guest

    Hi, Thanks,
    I tried the many telnet sessions but it refuses the 6th connection :-(
    Oh well, guess I know what I'm doing this weekend....
    I beleive I did do the: aaa authentication login default local
    where I should have used the 'line' keyword instead. was too eager to
    get it working and didn't realize the implication.
    It would be really nice if cisco would build in a warning to these kind
    of commands that have the possibillity of locking someone out. A little
    more intelligence please, cisco...
    In the config guides it doesn't warn about it anywhere AFAIK, so I
    suspect this is a common aaa beginner error.

    Thanks anyway for ideas.
    Cheers,
    Tobias
     
    nsa.usa, Sep 23, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.