Aaa authentication

foreverlearning

I configured aaa new model on the cisco switch but the aaa server is not yet ready.

I am now locked out of the switch as i dont have a username or password.

What should i do?

DCD

You have to do the password recovery or wipe the startup configuration. 

TechGromit

So you didn't configure a username and enable password? When i set up a switch, first I set a username/password and enable password.

add the command

aaa authentication login default local group tacacs+

aaa authentication enable default group tacacs+ enable

This way if the tacacs server is server is down or unreachable, the switch will attempt to reach the server 3 or 4 times than after failing will allow the local account to logon. If the tacac server is reachable, the local accounts are locked out.

If you have physical access to the switch, a recovery is pretty simple. If not you could try to set up a local tacac server on your computer. After all if you set up tacac on the switch you should know the server address and shared key. Should work if you on the same subnet, but not if it's set for a different one. 

 

foreverlearning

TechGromit said:

So you didn't configure a username and enable password? When i set up a switch, first I set a username/password and enable password.

add the command

aaa authentication login default local group tacacs+

aaa authentication enable default group tacacs+ enable

This way if the tacacs server is server is down or unreachable, the switch will attempt to reach the server 3 or 4 times than after failing will allow the local account to logon. If the tacac server is reachable, the local accounts are locked out.

If you have physical access to the switch, a recovery is pretty simple. If not you could try to set up a local tacac server on your computer. After all if you set up tacac on the switch you should know the server address and shared key. Should work if you on the same subnet, but not if it's set for a different one. 

 

recovery is pretty simple?
What recovery can you do when the prompt is 

Username:
Password:

And then you cannot go in because there is no AAA server?
Even console is not an option. 

TechGromit

foreverlearning said:

recovery is pretty simple?
What recovery can you do when the prompt is 

Username:
Password:

And then you cannot go in because there is no AAA server?
Even console is not an option. 

Pull the power plug on the switch and plug it back in, now follow the recovery process to get the switch in rommon mode,  Usually it's holding a button in for X amount of time till it goes into rommon mode. In this mode, console is ALWAYS available. If you tell me the specific switch model and can provide more detailed instructions. Sometimes you can recover without wiping the conf file others you have to wipe everything and start from scratch. I really depends on what the issue is.

Once Corporate provided an ISO version for our 9300 switches, but wasn't compatible my 9300 Fiber switches, this was a fun recovery. Worse one I ever had to do. It involved reloading the ISO from a USB flash drive and 3 reloads to get it back to reloading standalone without locking up. Now when I'm directed to update the ISO version, i verify the code is compatible with all my switch model favors with the Cisco website ISO download. If you type in your exact switch model, it will tell you what versions are compatible for your specific switch.        

foreverlearning

TechGromit said:

foreverlearning said:

recovery is pretty simple?
What recovery can you do when the prompt is 

Username:
Password:

And then you cannot go in because there is no AAA server?
Even console is not an option. 

Pull the power plug on the switch and plug it back in, now follow the recovery process to get the switch in rommon mode,  Usually it's holding a button in for X amount of time till it goes into rommon mode. In this mode, console is ALWAYS available. If you tell me the specific switch model and can provide more detailed instructions. Sometimes you can recover without wiping the conf file others you have to wipe everything and start from scratch. I really depends on what the issue is.

Once Corporate provided an ISO version for our 9300 switches, but wasn't compatible my 9300 Fiber switches, this was a fun recovery. Worse one I ever had to do. It involved reloading the ISO from a USB flash drive and 3 reloads to get it back to reloading standalone without locking up. Now when I'm directed to update the ISO version, i verify the code is compatible with all my switch model favors with the Cisco website ISO download. If you type in your exact switch model, it will tell you what versions are compatible for your specific switch.        

So even if I go into ROMMON mode, there is no guarantee that I can recover my configuration? 

TechGromit

foreverlearning said:

 

So even if I go into ROMMON mode, there is no guarantee that I can recover my configuration? 

Correct, if you don't have a backup of your configuration, then you have to recreate it from scratch. On my network, every new switch added / replaced on the network is backed up before it goes into production.  Then every 6 months or so I access all the switches and grab a backup of current configurations. Which is overkill on my part since I have a network automation server that saves the switches configuration every time something is changed. Still my backups gives me useful information on the network. I do a "Show Interface Status" every time, so if we are cleaning up the wiring in the closet, I can go back several configurations saves and verify that port 1/40 hasn't been connected for the last year and half, it's probably safe to remove the cat 5 cable connection.