thigserveradmin
asked on
How can I remove AAA commands from an HP Procurve 3448cl switch?
I'm trying to remove misconfigured aaa commands from an HP Procurve and I've found that simply placing a "no" in front of them does not work. Example:
aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local
to remove, one would think you would do:
no aaa authentication telnet login tacacs local
no aaa authentication ssh login tacacs local
That does not work. I've effectively locked myself out of the switch via ssh but I think I still have console access. Any ideas?
aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local
to remove, one would think you would do:
no aaa authentication telnet login tacacs local
no aaa authentication ssh login tacacs local
That does not work. I've effectively locked myself out of the switch via ssh but I think I still have console access. Any ideas?
ASKER
I do have backups of my configs, but this switch is a production switch so I would like to fix this the right way. I'm aware of password recovery techniques and resets. What I really need is a way to remove the aaa commands.
Hi,
what I'm suggesting is that your not exiting and saving to memory, so the switch is still running with the old commands.
You may not have to do a reset, just save the changes to the running config.
I recommend you enter the cli and then save the config, remove the access commands and then save the config again. Save to memory and to file.
Also, try to remove the commands and set the telnet and ssh password. What I mean is that your trying to set the authentication, so set it back to a static password.
Do you have any other lines of code causing issues. Look at your original config and see if you need to remove other lines of code to move back to a default state for ssh and telnet.
Also try to reset one of these - either telnet or ssh to the default by turning access off to it. This I would do as a last resort. If you have access with telnet, then try turning ssh off, save to memory, then reload. Then set ssh on with a local static password, save to memory and reload. Keep working on one whilst maintaining access on the other.
regards, Mark
what I'm suggesting is that your not exiting and saving to memory, so the switch is still running with the old commands.
You may not have to do a reset, just save the changes to the running config.
I recommend you enter the cli and then save the config, remove the access commands and then save the config again. Save to memory and to file.
Also, try to remove the commands and set the telnet and ssh password. What I mean is that your trying to set the authentication, so set it back to a static password.
Do you have any other lines of code causing issues. Look at your original config and see if you need to remove other lines of code to move back to a default state for ssh and telnet.
Also try to reset one of these - either telnet or ssh to the default by turning access off to it. This I would do as a last resort. If you have access with telnet, then try turning ssh off, save to memory, then reload. Then set ssh on with a local static password, save to memory and reload. Keep working on one whilst maintaining access on the other.
regards, Mark
ASKER
I'll try disabling access via telnet or ssh. I cannot reload the switch easily, all of our telephony gear is connected to it (CLANs, PBX, Message server, etc..)
Hello,
I think since you ran the commands: aaa authentication telnet login tacacs local instead of aaa authentication telnet enable tacacs local, you are probably not in admin/manager mode and only in operator mode, which explains why you are unable to remove said commands.
Try going to the console then doing the "no aaa authen...." commands.
good luck,
-RK
I think since you ran the commands: aaa authentication telnet login tacacs local instead of aaa authentication telnet enable tacacs local, you are probably not in admin/manager mode and only in operator mode, which explains why you are unable to remove said commands.
Try going to the console then doing the "no aaa authen...." commands.
good luck,
-RK
ASKER
@RKinsp - I can only work in the console. Everything I've tried as been via the console.
ASKER
@uanmi - I tried disabling ssh and telnet to see if it would then allow the "no" command to be used against the aaa configuration, and it does not. Any other ideas? There has to be a way to remove these commands other than resetting the switch....
can you please post the config lines here for all the aaa if they do not contain passwords.
aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local
I also think you may not be in administrator mode and therefore unable to remove commands. Do you have complete control of the switch with your login to the switch?
Are you entering the config mode using enable?
remember to only operate on ssh or telnet at one time, not both or you may not be able to login and this would be a problem that would require the switch to be reset.
Try entering the edit config mode and enter
aaa authentication telnet enable tacacs local
look at the config and then enter
no aaa authentication telnet enable tacacs local
see if there is a change to your config now.
when you make changes to the switch do you do
exit
wr mem
Describe the steps your taking.
regards, Mark
aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local
I also think you may not be in administrator mode and therefore unable to remove commands. Do you have complete control of the switch with your login to the switch?
Are you entering the config mode using enable?
remember to only operate on ssh or telnet at one time, not both or you may not be able to login and this would be a problem that would require the switch to be reset.
Try entering the edit config mode and enter
aaa authentication telnet enable tacacs local
look at the config and then enter
no aaa authentication telnet enable tacacs local
see if there is a change to your config now.
when you make changes to the switch do you do
exit
wr mem
Describe the steps your taking.
regards, Mark
ASKER
Here is a text capture of what I am doing if it will help. Also, there is a show run attached in txt format.
NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication telnet enable radius local
Invalid input: telnet
NFLGNVSWV04(config)#
NFLGNVSWV04(config)# .
NFLGNVSWV04(config)# aa authentication telnet enable tacacs local
NFLGNVSWV04(config)# no aaa authentication teln
Invalid input: teln
NFLGNVSWV04(config)# exit
NFLGNVSWV04#
NFLGNVSWV04# wr mem
NFLGNVSWV04#
NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication tel
Invalid input: tel
NFLGNVSWV04(config)# no aaa authentication
login Specify that switch respects the authentication server's
privilege level.
show.run.txt
NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication telnet enable radius local
Invalid input: telnet
NFLGNVSWV04(config)#
NFLGNVSWV04(config)# .
NFLGNVSWV04(config)# aa authentication telnet enable tacacs local
NFLGNVSWV04(config)# no aaa authentication teln
Invalid input: teln
NFLGNVSWV04(config)# exit
NFLGNVSWV04#
NFLGNVSWV04# wr mem
NFLGNVSWV04#
NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication tel
Invalid input: tel
NFLGNVSWV04(config)# no aaa authentication
login Specify that switch respects the authentication server's
privilege level.
show.run.txt
Hi
on this line you have aa and it should be aaa
aa authentication telnet enable tacacs local
should be
aaa authentication telnet enable tacacs local
then
no aaa authentication telnet enable tacacs local
should work
can you show me the config for all aaa lines in the running config please
regards
mark
on this line you have aa and it should be aaa
aa authentication telnet enable tacacs local
should be
aaa authentication telnet enable tacacs local
then
no aaa authentication telnet enable tacacs local
should work
can you show me the config for all aaa lines in the running config please
regards
mark
ASKER
That was simply a typo... it also auto completes and has nothing to do with the issue. The config was uploaded yesterday in my previous post. I'll reiterate my previous point: Placing a "no" in front of the aaa commands has 0 effect. This is not my first rodeo.
Does anybody else out there have any suggestions?
Does anybody else out there have any suggestions?
Hi, I have looked at the manual again. I have looked at your config and noticed a mistake immediately.
The issue you have is that your commands are mixed
aaa authentication telnet login tacacs local
aaa authentication telnet enable radius local
The first command is for tacacs and the second for radius
try
aaa authentication telnet enable tacacs local
no aaa authentication telnet enable tacacs local
no aaa authentication telnet login tacacs local
after the first command you could check to see if the command
aaa authentication telnet enable tacacs local
is in the config correctly.
The lines for ssh are not mixed
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
so you should be able to remove both by doing:
no aaa authentication ssh enable tacacs local
no aaa authentication ssh login tacacs local
and the order of commands listed is as follows:
Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication Telnet login tacacs local
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication telnet enable tacacs local
Deny Access and Close the Session After Failure of Two Consecutive Username/Password Pairs:
ProCurve (config)# aaa authentication num-attempts 2
To remove these commands, I would suggest doing this in reverse order with no in front
The issue you have is that your commands are mixed
aaa authentication telnet login tacacs local
aaa authentication telnet enable radius local
The first command is for tacacs and the second for radius
try
aaa authentication telnet enable tacacs local
no aaa authentication telnet enable tacacs local
no aaa authentication telnet login tacacs local
after the first command you could check to see if the command
aaa authentication telnet enable tacacs local
is in the config correctly.
The lines for ssh are not mixed
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
so you should be able to remove both by doing:
no aaa authentication ssh enable tacacs local
no aaa authentication ssh login tacacs local
and the order of commands listed is as follows:
Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication Telnet login tacacs local
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication telnet enable tacacs local
Deny Access and Close the Session After Failure of Two Consecutive Username/Password Pairs:
ProCurve (config)# aaa authentication num-attempts 2
To remove these commands, I would suggest doing this in reverse order with no in front
ASKER
Sorry, I guess I'm not making myself clear... PLACING A NO IN FRONT OF THE AAA COMMANDS DOES NOT WORK. PLEASE SEE THE OUTPUT BELOW.
Anybody else?
3400# conf t
3400(config)# no aaa authentication ssh login tacacs local
Invalid input: ssh
3400(config)# no aaa authentication ssh enable tacacs local
Invalid input: ssh
3400(config)# aaa authentication telnet enable tacacs local
3400(config)# no aaa authentication telnet enable tacacs local
Invalid input: telnet
3400(config)# no aaa authentication telnet login tacacs local
Invalid input: telnet
3400(config)#
3400(config)#
Anybody else?
3400# conf t
3400(config)# no aaa authentication ssh login tacacs local
Invalid input: ssh
3400(config)# no aaa authentication ssh enable tacacs local
Invalid input: ssh
3400(config)# aaa authentication telnet enable tacacs local
3400(config)# no aaa authentication telnet enable tacacs local
Invalid input: telnet
3400(config)# no aaa authentication telnet login tacacs local
Invalid input: telnet
3400(config)#
3400(config)#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also, the manual includes a line like this - possibly this will clear up the issue
no aaa authentication login local local
regards, Mark
no aaa authentication login local local
regards, Mark
ASKER
Thanks, I was just trying to get accross to you that putting a "no" in front of any of the aaa commands does not work. I had mentioned it several times before. Your last solution put me on track and got me close though.
aaa authentication telnet enable tacacs none
aaa authentication telnet enable ssh none
This sets the aaa enable commands back to default. Thanks for your help.
aaa authentication telnet enable tacacs none
aaa authentication telnet enable ssh none
This sets the aaa enable commands back to default. Thanks for your help.
and it would follow that the other one may be
no aaa authentication enable local local
possibly leave the last local off the end.
regards, Mark
no aaa authentication enable local local
possibly leave the last local off the end.
regards, Mark
ASKER
lol, you cannot put a no in front of the aaa commands. No matter what you try. I don't know how I can make that any clearer.
hi, ok, I'm pleased that I helped, though it took a while.
regards, Mark
regards, Mark
If you delete commands you need to commit to memory and possibly restart in your situation.
"exit" - config mode
"wr mem"
Let me know if this works
regards, Mark