Link to home
Start Free TrialLog in
Avatar of Lizandro Diaz
Lizandro DiazFlag for United States of America

asked on

Getting locked out and can't access Cisco via the web

Got a donated 3750X, upgraded its IOS to c3750e-ipbasek9npe-tar.150-2.SE10a.tar.
I moved the configuration from our old 3560 to the 3750X.
Everything worked, but I keep getting locked out my passwords are not being taken, also I can't access the switch via web browser.

I followed the instructions on this link, reset the old passwords, created a new username and still getting locked out.
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html

Take a look at the configuration as it is right now.
How can I login locally and access the switch via the web?
Thanks so much.


3750XSwitch#sh run
Building configuration...

Current configuration : 15891 bytes
!
! Last configuration change at 19:09:49 UTC Sun Jan 1 2006
!
version 15.0
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname CoreSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$cDCrLKtl1$1$cDCrLKtl1$1$cDCrLKtl1
enable password 7 607B636175607B636175607B636175
!
username myname privilege 15 password 7 0C723270C7A3F21682327
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
!
!
ip domain-name mydomain
ip multicast-routing distributed
ip device tracking
ip admission name WEBBASED proxy http
vtp mode transparent
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
m
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint TP-self-signed-33368
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-30368
 revocation-check none
 rsakeypair TP-self-signed-30368
!
!
crypto pki certificate chain TP-self-signed-3335450368
 certificate self-signed 01
  
  551D0E04 16041433 A111A065 16470107 8443E3D7 CC6DCC5D 85ADAA30 0D06092A
  864886F7 0D010104 05000381 81007E9B 5644C2E0 B4860B57 74264050 EA77DD58
  6FDFB346 936C2CF4 4A8A1EA4 A71A8801 4D12CD4C 8F2909E0 8F415A54 FD434EA1
  72E94177 D5AAAACB 1FB8F692 BD6CAE77 C85DF50E A26DEE82 7CED3083 C909807A
  E6D44C51 EE8D32D4 1F5CE7FF 45D74144 15589EF7 82242198 70C1C60B 71C05BFC
  2A6B53F4 D7AFB0CD A991B076 9B92
        quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
port-channel load-balance src-dst-ip
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10
 name PrimaryVlan
!
vlan 20
 name SecondaryVlan
!
vlan 30
 name Guest
!
vlan 40
!
ip ssh authentication-retries 5
ip ssh rsa keypair-name mykey
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 description NIC team for Teo Server
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
!
interface Port-channel2
 description NIC team for SCenter
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
!
interface Port-channel3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
!
interface Port-channel4
 description NIC team for server2 HyperV 2012
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
!
interface FastEthernet0
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface GigabitEthernet1/0/1
 description To Gateway 0/1
 no switchport
 ip address 172.20.10.2 255.255.255.248
!
interface GigabitEthernet1/0/2
  switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 2 mode on
!
interface GigabitEthernet1/0/3
 description To BufNIC 1
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 2 mode on
!
interface GigabitEthernet1/0/4
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 1 mode on
!
interface GigabitEthernet1/0/5
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 1 mode on
!
interface GigabitEthernet1/0/6
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 4 mode on
!
interface GigabitEthernet1/0/7
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 4 mode on
!
interface GigabitEthernet1/0/8
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 4 mode on
!
interface GigabitEthernet1/0/9
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
 channel-group 4 mode on
!
interface GigabitEthernet1/0/10
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 description To M3 IBM Nic2
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet1/0/14
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet1/0/15
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet1/0/16
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet1/0/17
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/25
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/26
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/27
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/28
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/29
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/30
 switchport access vlan 40
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/31
 description BuX
 switchport access vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/32
 description Xerox
 switchport access vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/33
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/34
 switchport access vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/35
 switchport access vlan 20
 spanning-tree portfast
!
interface GigabitEthernet1/0/36
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/37
 switchport access vlan 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/38
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless | cisco-wireless | cisco-wireless | cisco-wireless
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/39
 switchport access vlan 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/40
 switchport access vlan 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/41
 switchport access vlan 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/42
 switchport access vlan 10
 spanning-tree portfast
!
interface GigabitEthernet1/0/43
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless | cisco-wireless | cisco-wireless | cisco-wireless
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/44
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless | cisco-wireless | cisco-wireless | cisco-wireless
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/45
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/46
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
!
interface GigabitEthernet1/0/47
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos voip trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/48
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 queue-set 2
 priority-queue out
 mls qos trust cos
 macro description cisco-switch | cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 macro description cisco-switch | cisco-switch
 spanning-tree link-type point-to-point
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.1.10.1 255.255.254.0
!
interface Vlan20
 ip address 172.16.0.1 255.255.254.0
!
interface Vlan30
 
!
interface Vlan40
 ip address 10.40.1.1 255.255.255.192
!
ip http server
ip http authentication aaa
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.20.10.1
!

snmp-server community mydomain RW
!
!
!
!
line con 0
 password 7 0501B160501B160501B16
 logging synchronous
line vty 0 4
 password 7 11015101F165101F16
 logging synchronous
 length 0
 transport input ssh
line vty 5 15
 password 7 5101F165101F16F1E0B
!
end

Open in new window

Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

Did you copy&paste the type 7 passwords? Or did you modify them here? Either way, the ones that are listed above are defective ... for trial purposes, disable the password encryption (no service password-encryption) and reset the user password ... check if it works then ... (your user password is an odd number of chars, needs to be even, the enable password, though not being used, also looks defective when decoded)
There is nothing really in config that could cause that behavior. Have you tried different computers and browsers?
On the unrelated note. You don't need to assign port to vlan 10 to use it as a native vlan.
Avatar of Lizandro Diaz

ASKER

@ Garry-G
"Did you copy&paste the type 7 passwords? " I typed them myself.
"no service password-encryption) and reset the user password ... check if it works then" Not working.
"your user password is an odd number of chars, needs to be even, the enable password, though not being used, also looks defective when decoded)" Before posting I edited the passwords areas and typed whatever characters there.
@ SIM50
"Have you tried different computers and browsers?" Yes, I have tried 3 different browsers and still not working.

"On the unrelated note. You don't need to assign port to vlan 10 to use it as a native vlan." left it like this to know in mind who my management vlan is.
Are these commands correct?

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
By not being able to access, you mean the page doesn't load or you can't login?
Do "sh ip http server history" in CLI.
ASKER CERTIFIED SOLUTION
Avatar of SIM50
SIM50
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, the aaa commands listed are fine and correct.

Btw, what are you doing to connect to the switch? telnet? If so, this might be the problem:

 transport input ssh

Try changing this to "transport input all"
As for the web interface, can you take a look at the flash contents and see whether there's a directory for the currently used IOS which contains lots of files (html etc.)
@SIM50 .  I'm totally locked out of the switch, can't login via console, telnet, ssh, or via the web totally locked out.

I wish I was able to do this sh ip http server history" in CLI  but again I'm locked out of the switch and there's no way I have forgotten the passwords.

when I do this, http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html

my configuration is there and everything works fine, is just that as soon as exit can't log back in again with my password.
User generated imageThis is what I get either via ssh or console.
"I would probably remove aaa authorization exec default local as it kind of meaningless in this case."
Which comm should I use.

I will be able to do this after 3:30 pm.
@ Garry-G. If I will try this " transport input ssh"
Btw, what are you doing to connect to the switch? telnet? If so, this might be the problem:

 transport input ssh

Try changing this to "transport input all"

Not correct. SSH is restricted only to virtual lines 0 to 4. You can still connect using telnet on vty's 5 to 15.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks SIM50 and Garry-G.

I will try your suggestion as soon as I get a chance and will keep you updated. Thanks so much for your suggestions.
Question. This is part of the config.

"ip admission name WEBBASED proxy http" any ideas?
Katrach0, here is how I would troubleshoot this.
1. Remove aaa authentication from the console for now so you wouldn't be completely locked out.
aaa authentication login CON none
line con 0
login authentication CON
2. enable debug for authentication.
debug aaa authentication
3. open another putty window and connect to the switch through ssh/telnet and try to login
4. save debug output and disable debug
u all
5. post debug here.
"ip admission name WEBBASED proxy http" any ideas?

That is used for web based authentication if you use a radius server. Remove it from your config.

Edit: The statement above is not fully correct. You can also setup local web based authentication on a switch but your switch is missing the rest of the config for 802.1x.
Hello SIM50, Garry-G.

My apologies for taking me so long to respond to this I have been very busy.

The problem was solved by doing the following:

I added this command no aaa new-model

I also added this command ip http authentication local

This is how the configuration looks like now.

I want to thank you both for your help.
Add-Commands.png