Lizandro Diaz
asked on
Getting locked out and can't access Cisco via the web
Got a donated 3750X, upgraded its IOS to c3750e-ipbasek9npe-tar.150 -2.SE10a.t ar.
I moved the configuration from our old 3560 to the 3750X.
Everything worked, but I keep getting locked out my passwords are not being taken, also I can't access the switch via web browser.
I followed the instructions on this link, reset the old passwords, created a new username and still getting locked out.
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
Take a look at the configuration as it is right now.
How can I login locally and access the switch via the web?
Thanks so much.
3750XSwitch#sh run
Building configuration...
I moved the configuration from our old 3560 to the 3750X.
Everything worked, but I keep getting locked out my passwords are not being taken, also I can't access the switch via web browser.
I followed the instructions on this link, reset the old passwords, created a new username and still getting locked out.
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
Take a look at the configuration as it is right now.
How can I login locally and access the switch via the web?
Thanks so much.
3750XSwitch#sh run
Building configuration...
Current configuration : 15891 bytes
!
! Last configuration change at 19:09:49 UTC Sun Jan 1 2006
!
version 15.0
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname CoreSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$cDCrLKtl1$1$cDCrLKtl1$1$cDCrLKtl1
enable password 7 607B636175607B636175607B636175
!
username myname privilege 15 password 7 0C723270C7A3F21682327
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c3750x-48p
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
!
!
ip domain-name mydomain
ip multicast-routing distributed
ip device tracking
ip admission name WEBBASED proxy http
vtp mode transparent
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
m
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki trustpoint TP-self-signed-33368
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-30368
revocation-check none
rsakeypair TP-self-signed-30368
!
!
crypto pki certificate chain TP-self-signed-3335450368
certificate self-signed 01
551D0E04 16041433 A111A065 16470107 8443E3D7 CC6DCC5D 85ADAA30 0D06092A
864886F7 0D010104 05000381 81007E9B 5644C2E0 B4860B57 74264050 EA77DD58
6FDFB346 936C2CF4 4A8A1EA4 A71A8801 4D12CD4C 8F2909E0 8F415A54 FD434EA1
72E94177 D5AAAACB 1FB8F692 BD6CAE77 C85DF50E A26DEE82 7CED3083 C909807A
E6D44C51 EE8D32D4 1F5CE7FF 45D74144 15589EF7 82242198 70C1C60B 71C05BFC
2A6B53F4 D7AFB0CD A991B076 9B92
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
port-channel load-balance src-dst-ip
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10
name PrimaryVlan
!
vlan 20
name SecondaryVlan
!
vlan 30
name Guest
!
vlan 40
!
ip ssh authentication-retries 5
ip ssh rsa keypair-name mykey
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description NIC team for Teo Server
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface Port-channel2
description NIC team for SCenter
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
!
interface Port-channel4
description NIC team for server2 HyperV 2012
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet1/0/1
description To Gateway 0/1
no switchport
ip address 172.20.10.2 255.255.255.248
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 2 mode on
!
interface GigabitEthernet1/0/3
description To BufNIC 1
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 2 mode on
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 1 mode on
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 1 mode on
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 4 mode on
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 4 mode on
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 4 mode on
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
channel-group 4 mode on
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
description To M3 IBM Nic2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/14
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/16
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/17
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/26
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/27
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/28
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/29
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/30
switchport access vlan 40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/31
description BuX
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/32
description Xerox
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/33
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/34
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/35
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/36
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/37
switchport access vlan 10
spanning-tree portfast
!
interface GigabitEthernet1/0/38
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-wireless | cisco-wireless | cisco-wireless | cisco-wireless
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/39
switchport access vlan 10
spanning-tree portfast
!
interface GigabitEthernet1/0/40
switchport access vlan 10
spanning-tree portfast
!
interface GigabitEthernet1/0/41
switchport access vlan 10
spanning-tree portfast
!
interface GigabitEthernet1/0/42
switchport access vlan 10
spanning-tree portfast
!
interface GigabitEthernet1/0/43
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-wireless | cisco-wireless | cisco-wireless | cisco-wireless
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/44
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-wireless | cisco-wireless | cisco-wireless | cisco-wireless
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/45
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/46
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
!
interface GigabitEthernet1/0/47
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/48
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-switch | cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
macro description cisco-switch | cisco-switch
spanning-tree link-type point-to-point
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.1.10.1 255.255.254.0
!
interface Vlan20
ip address 172.16.0.1 255.255.254.0
!
interface Vlan30
!
interface Vlan40
ip address 10.40.1.1 255.255.255.192
!
ip http server
ip http authentication aaa
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.20.10.1
!
snmp-server community mydomain RW
!
!
!
!
line con 0
password 7 0501B160501B160501B16
logging synchronous
line vty 0 4
password 7 11015101F165101F16
logging synchronous
length 0
transport input ssh
line vty 5 15
password 7 5101F165101F16F1E0B
!
end
Did you copy&paste the type 7 passwords? Or did you modify them here? Either way, the ones that are listed above are defective ... for trial purposes, disable the password encryption (no service password-encryption) and reset the user password ... check if it works then ... (your user password is an odd number of chars, needs to be even, the enable password, though not being used, also looks defective when decoded)
There is nothing really in config that could cause that behavior. Have you tried different computers and browsers?
On the unrelated note. You don't need to assign port to vlan 10 to use it as a native vlan.
On the unrelated note. You don't need to assign port to vlan 10 to use it as a native vlan.
ASKER
@ Garry-G
"Did you copy&paste the type 7 passwords? " I typed them myself.
"no service password-encryption) and reset the user password ... check if it works then" Not working.
"your user password is an odd number of chars, needs to be even, the enable password, though not being used, also looks defective when decoded)" Before posting I edited the passwords areas and typed whatever characters there.
"Did you copy&paste the type 7 passwords? " I typed them myself.
"no service password-encryption) and reset the user password ... check if it works then" Not working.
"your user password is an odd number of chars, needs to be even, the enable password, though not being used, also looks defective when decoded)" Before posting I edited the passwords areas and typed whatever characters there.
ASKER
@ SIM50
"Have you tried different computers and browsers?" Yes, I have tried 3 different browsers and still not working.
"On the unrelated note. You don't need to assign port to vlan 10 to use it as a native vlan." left it like this to know in mind who my management vlan is.
"Have you tried different computers and browsers?" Yes, I have tried 3 different browsers and still not working.
"On the unrelated note. You don't need to assign port to vlan 10 to use it as a native vlan." left it like this to know in mind who my management vlan is.
ASKER
Are these commands correct?
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
By not being able to access, you mean the page doesn't load or you can't login?
Do "sh ip http server history" in CLI.
Do "sh ip http server history" in CLI.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, the aaa commands listed are fine and correct.
Btw, what are you doing to connect to the switch? telnet? If so, this might be the problem:
transport input ssh
Try changing this to "transport input all"
As for the web interface, can you take a look at the flash contents and see whether there's a directory for the currently used IOS which contains lots of files (html etc.)
Btw, what are you doing to connect to the switch? telnet? If so, this might be the problem:
transport input ssh
Try changing this to "transport input all"
As for the web interface, can you take a look at the flash contents and see whether there's a directory for the currently used IOS which contains lots of files (html etc.)
ASKER
@SIM50 . I'm totally locked out of the switch, can't login via console, telnet, ssh, or via the web totally locked out.
I wish I was able to do this sh ip http server history" in CLI but again I'm locked out of the switch and there's no way I have forgotten the passwords.
when I do this, http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
my configuration is there and everything works fine, is just that as soon as exit can't log back in again with my password.
This is what I get either via ssh or console.
I wish I was able to do this sh ip http server history" in CLI but again I'm locked out of the switch and there's no way I have forgotten the passwords.
when I do this, http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
my configuration is there and everything works fine, is just that as soon as exit can't log back in again with my password.
This is what I get either via ssh or console.
ASKER
"I would probably remove aaa authorization exec default local as it kind of meaningless in this case."
Which comm should I use.
I will be able to do this after 3:30 pm.
Which comm should I use.
I will be able to do this after 3:30 pm.
ASKER
@ Garry-G. If I will try this " transport input ssh"
Btw, what are you doing to connect to the switch? telnet? If so, this might be the problem:
transport input ssh
Try changing this to "transport input all"
Not correct. SSH is restricted only to virtual lines 0 to 4. You can still connect using telnet on vty's 5 to 15.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks SIM50 and Garry-G.
I will try your suggestion as soon as I get a chance and will keep you updated. Thanks so much for your suggestions.
I will try your suggestion as soon as I get a chance and will keep you updated. Thanks so much for your suggestions.
ASKER
Question. This is part of the config.
"ip admission name WEBBASED proxy http" any ideas?
"ip admission name WEBBASED proxy http" any ideas?
Katrach0, here is how I would troubleshoot this.
1. Remove aaa authentication from the console for now so you wouldn't be completely locked out.
aaa authentication login CON none
line con 0
login authentication CON
2. enable debug for authentication.
debug aaa authentication
3. open another putty window and connect to the switch through ssh/telnet and try to login
4. save debug output and disable debug
u all
5. post debug here.
1. Remove aaa authentication from the console for now so you wouldn't be completely locked out.
aaa authentication login CON none
line con 0
login authentication CON
2. enable debug for authentication.
debug aaa authentication
3. open another putty window and connect to the switch through ssh/telnet and try to login
4. save debug output and disable debug
u all
5. post debug here.
"ip admission name WEBBASED proxy http" any ideas?
That is used for web based authentication if you use a radius server. Remove it from your config.
Edit: The statement above is not fully correct. You can also setup local web based authentication on a switch but your switch is missing the rest of the config for 802.1x.
ASKER
Hello SIM50, Garry-G.
My apologies for taking me so long to respond to this I have been very busy.
The problem was solved by doing the following:
I added this command no aaa new-model
I also added this command ip http authentication local
This is how the configuration looks like now.
I want to thank you both for your help.
Add-Commands.png
My apologies for taking me so long to respond to this I have been very busy.
The problem was solved by doing the following:
I added this command no aaa new-model
I also added this command ip http authentication local
This is how the configuration looks like now.
I want to thank you both for your help.
Add-Commands.png