Recently, a customer's AAA was not correctly configured, causing him to be locked out of the device. Because it is a multi-switch stack unit in the production environment, it is not allowed to restart and ignore the configuration, remote operations are required to solve the problem, which undoubtedly increases the difficulty of solving the problem.
After several attempts, we found that some settings on Cisco ACS can bypass the authorization to access the device. We will share with you the situation that this scenario is similar to the local ing mechanism of juniper SRX firewall, however, Cisco should not have documented similar situations.
The device configuration is as follows:
AAA authentication login noauth local none
AAA authorization Console
AAA authorization exec default group radius
Line con 0
Login authentication noauth
Line aux 0
Logging synchronous
Line vty 0 4
Login authentication noauth
End
The above configuration authenticates the use of the local database, authorizes the use of RADIUS server, and does not configure an escape channel for authorization (potholes)
Telnet fails to log on. The system prompts "reject": Enter the local user and password, and the system prompts "REJECTED ".
An error message is displayed, indicating that authorization failed: Authorization failed.
Enter the correct user (local) Incorrect password to display authentication failure: authentication failed
First, add the authentication server in ACS, select the label network configuration, and add the server
Add a server and click Add entry.
Note that the IP address must be the address of the local Nic, and must be consistent with the RADIUS server address configured on the switch. You can enter the key as needed.
Next, we add a vswitch as the radius client.
Shared Secret must be used to add a key that matches the actual configuration on the switch.
Then select Add User in user setup
Note that the user name must be the same as that added locally on your vswitch. Enter Cisco in the password field and submit
Now, the Cisco ACS settings are complete.
The telnet logon test result is as follows:
Username:
Password:
R3> enable
Password
R3 #
Note that the username and password used to log on here are both local enable and local enable. Now, the user can access the local system normally.
This article is from the "121212" blog, please be sure to keep this source http://359922.blog.51cto.com/349922/1535212