Solved

How can I remove AAA commands from an HP Procurve 3448cl switch?

Posted on 2011-03-12
19
2,535 Views
Last Modified: 2012-05-11
I'm trying to remove misconfigured aaa commands from an HP Procurve and I've found that simply placing a "no" in front of them does not work.  Example:

aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local

to remove, one would think you would do:

no aaa authentication telnet login tacacs local
no aaa authentication ssh login tacacs local

That does not work. I've effectively locked myself out of the switch via ssh but I think I still have console access.  Any ideas?
0
Comment
Question by:thigserveradmin
  • 9
  • 9
19 Comments
 
LVL 3

Expert Comment

by:uanmi
ID: 35118738
If you find that you cannot get in to make further changes then use a factory reset and start again. Hopefully you will have a backup of the config.

If you delete commands you need to commit to memory and possibly restart in your situation.

"exit" - config mode

"wr mem"

Let me know if this works
regards, Mark
0
 

Author Comment

by:thigserveradmin
ID: 35119157
I do have backups of my configs, but this switch is a production switch so I would like to fix this the right way.  I'm aware of password recovery techniques and resets.  What I really need is a way to remove the aaa commands.
0
 
LVL 3

Expert Comment

by:uanmi
ID: 35119250
Hi,

what I'm suggesting is that your not exiting and saving to memory, so the switch is still running with the old commands.

You may not have to do a reset, just save the changes to the running config.

I recommend you enter the cli and then save the config, remove the access commands and then save the config again. Save to memory and to file.

Also, try to remove the commands and set the telnet and ssh password. What I mean is that your trying to set the authentication, so set it back to a static password.

Do you have any other lines of code causing issues. Look at your original config and see if you need to remove other lines of code to move back to a default state for ssh and telnet.

Also try to reset one of these - either telnet or ssh to the default by turning access off to it. This I would do as a last resort. If you have access with telnet, then try turning ssh off, save to memory, then reload. Then set ssh on with a local static password, save to memory and reload. Keep working on one whilst maintaining access on the other.

regards, Mark
0
 

Author Comment

by:thigserveradmin
ID: 35120538
I'll try disabling access via telnet or ssh.  I cannot reload the switch easily, all of our telephony gear is connected to it (CLANs, PBX, Message server, etc..)
0
 
LVL 6

Expert Comment

by:RKinsp
ID: 35124617
Hello,

I think since you ran the commands: aaa authentication telnet login tacacs local   instead of aaa authentication telnet enable tacacs local, you are probably not in admin/manager mode and only in operator mode, which explains why you are unable to remove said commands.

Try going to the console then doing the "no aaa authen...." commands.

good luck,
-RK
0
 

Author Comment

by:thigserveradmin
ID: 35127196
@RKinsp - I can only work in the console.  Everything I've tried as been via the console.  
0
 

Author Comment

by:thigserveradmin
ID: 35127347
@uanmi - I tried disabling ssh and telnet to see if it would then allow the "no" command to be used against the aaa configuration, and it does not.  Any other ideas?  There has to be a way to remove these commands other than resetting the switch....
0
 
LVL 3

Expert Comment

by:uanmi
ID: 35127440
can you please post the config lines here for all the aaa if they do not contain passwords.

aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local

I also think you may not be in administrator mode and therefore unable to remove commands. Do you have complete control of the switch with your login to the switch?

Are you entering the config mode using enable?

remember to only operate on ssh or telnet at one time, not both or you may not be able to login and this would be a problem that would require the switch to be reset.

Try entering the edit config mode and enter

aaa authentication telnet enable tacacs local

look at the config and then enter

no aaa authentication telnet enable tacacs local

see if there is a change to your config now.

when you make changes to the switch do you do

exit
wr mem

Describe the steps your taking.

regards, Mark


0
 

Author Comment

by:thigserveradmin
ID: 35127544
Here is a text capture of what I am doing if it will help. Also, there is a show run attached in txt format.

NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication telnet enable radius local
Invalid input: telnet
NFLGNVSWV04(config)#
NFLGNVSWV04(config)# .
NFLGNVSWV04(config)# aa authentication telnet enable tacacs local
NFLGNVSWV04(config)# no aaa authentication teln
Invalid input: teln
NFLGNVSWV04(config)# exit                      
NFLGNVSWV04#
NFLGNVSWV04# wr mem
NFLGNVSWV04#
NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication tel
Invalid input: tel
NFLGNVSWV04(config)# no aaa authentication    
 login                 Specify that switch respects the authentication server's
                       privilege level.
show.run.txt
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 3

Expert Comment

by:uanmi
ID: 35135490
Hi

on this line you have aa and it should be aaa

aa authentication telnet enable tacacs local

should be

aaa authentication telnet enable tacacs local

then

no aaa authentication telnet enable tacacs local

should work

can you show me the config for all aaa lines in the running config please

regards
mark

0
 

Author Comment

by:thigserveradmin
ID: 35136658
That was simply a typo... it also auto completes and has nothing to do with the issue.  The config was uploaded yesterday in my previous post.  I'll reiterate my previous point:  Placing a "no" in front of the aaa commands has 0 effect.  This is not my first rodeo.

Does anybody else out there have any suggestions?
0
 
LVL 3

Expert Comment

by:uanmi
ID: 35136827
Hi, I have looked at the manual again. I have looked at your config and noticed a mistake immediately.

The issue you have is that your commands are mixed
aaa authentication telnet login tacacs local
aaa authentication telnet enable radius local

The first command is for tacacs and the second for radius
try
aaa authentication telnet enable tacacs local
no aaa authentication telnet enable tacacs local
no aaa authentication telnet login tacacs local

after the first command you could check to see if the command
aaa authentication telnet enable tacacs local
is in the config correctly.

The lines for ssh are not mixed

aaa authentication ssh login tacacs local

aaa authentication ssh enable tacacs local

so you should be able to remove both by doing:
no aaa authentication ssh enable tacacs local
no aaa authentication ssh login tacacs local



 and the order of commands listed is as follows:
Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication Telnet login tacacs local
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication telnet enable tacacs local
Deny Access and Close the Session After Failure of Two Consecutive Username/Password Pairs:
ProCurve (config)# aaa authentication num-attempts 2

To remove these commands, I would suggest doing this in reverse order with no in front

0
 

Author Comment

by:thigserveradmin
ID: 35136853
Sorry, I guess I'm not making myself clear... PLACING A NO IN FRONT  OF THE AAA COMMANDS DOES NOT WORK.  PLEASE SEE THE OUTPUT BELOW.  

Anybody else?

3400# conf t
3400(config)# no aaa authentication ssh login tacacs local
Invalid input: ssh
3400(config)# no aaa authentication ssh enable tacacs local
Invalid input: ssh
3400(config)# aaa authentication telnet enable tacacs local
3400(config)# no aaa authentication telnet enable tacacs local
Invalid input: telnet
3400(config)# no aaa authentication telnet login tacacs local
Invalid input: telnet
3400(config)#
3400(config)#
0
 
LVL 3

Accepted Solution

by:
uanmi earned 500 total points
ID: 35136919
Hi,

I'm trying to help, so please take this into account.

First again, you entered
no aaa authentication telnet enable tacacs local
this line does not exist in your running config. tacacs is radius in your running config

ok, so there is a need to get creative
try this
aaa authentication telnet enable local local
aaa authentication ssh enable local local

regards, Mark


0
 
LVL 3

Expert Comment

by:uanmi
ID: 35136950
also, the manual includes a line like this - possibly this will clear up the issue
no aaa authentication login local local

regards, Mark
0
 

Author Closing Comment

by:thigserveradmin
ID: 35136969
Thanks, I was just trying to get accross to you that putting a "no" in front of any of the aaa commands does not work.  I had mentioned it several times before.  Your last solution put me on track and got me close though.  

aaa authentication telnet enable tacacs none
aaa authentication telnet enable ssh none

This sets the aaa enable commands back to default.  Thanks for your help.
0
 
LVL 3

Expert Comment

by:uanmi
ID: 35136975
and it would follow that the other one may be

no aaa authentication enable local local

possibly leave the last local off the end.

regards, Mark
0
 

Author Comment

by:thigserveradmin
ID: 35136981
lol, you cannot put a no in front of the aaa commands.  No matter what you try.  I don't know how I can make that any clearer.
0
 
LVL 3

Expert Comment

by:uanmi
ID: 35136992
hi, ok, I'm pleased that I helped, though it took a while.
regards, Mark
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now