Cisco AAA/Identity/Nac :: ACS V4.2 Changed AD Password Now Can't Get Into Enable Side
Dec 29, 2011
Changed my AD password and now i cannot get into the enable side of the cisco switches on our network (we have no routers).Looking on the logs for the ACS v4.2 I can see the following -
On TACACS+ Accounting you can see the connections which have worked - it the initial tty connections -
When i look in the failed attempts i see the following Auth failed - External DB user invalid or bad password or on another occasion internal error or EAP-TLS or PEAP authentication failed due to unknown CAcertificate during SSL handshake.
Today I wanted to change my passwords on my router Cisco 888e.I connect by telnet my router and access the enable mode.Then, I set my enable password to passwordxxx with the command enable password password1.After a show run, i could see in this config my new password correctly set. Then, I set my enable secret password to passwordxxx (the same) with the command enable secret password password1.I log off the enable mode.Try to log on with the command en but when I type the new or the old password, I receive a 'Access denied' message.
And I'm sure of the new one because on my command line to define it I could see this new password in clear!What are my solutions to access the enable mode again?If I reboot my router, it'll run the previous config file with the old password? I've only worked on the running config file and haven't apply these changes to the nvram.
How to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router
aaa new-model aaa authentication login default group tacacs+ local aaa authen enable default group tacacs+ enable tacacs-server host x.x.x.x key xxxxx
Now when I telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. What is the process of configuring enable passwords?
I have migrated my ACS data from 4.1 to 5.1 and everything is working fine to test the connection I have configured a switch to get the authentication from the new Tacacs server, using my old username and password..i got in perfectly but when the switch asked my for enable which is the same password, it refused the password.(I have unchecked the <use a different password for enable> option) I deleted my switch from the Tacacs to enter locally, I went in with no problems..i thought that the problem may be from the old configuration.so I created a new username and password to check, and the problem still exist.
I have been experimenting with acs 4.2 and a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.
how do I setup an enable password for an ASA 5510? At the moment its setup to authenticate using RADIUS (which I'd like to keep doing) but I need to setup an enable mode password.
I am trying to migrate an ACS 4.1.1(24) using the migraton tool to ACS 5.2. The tool is working OK. It migrates the users, groups, NDG, etc. and the reports are showing no errors.
The problem is with the Enable password of the users. The users in the ACS 4 have the TACACS+ Enable Password configured, but after the migration it appears empty in the ACS 5.
Recently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.
aaa authentication login default group tacacs+ aaa authentication login no_tacacs enable aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
It shows this option "Filter wireless clients: Apply MAC Filtering to devices that connect to the network via Wi-Fi. This is the normal usage of MAC Filtering. Filter wired clients: "However I don't see that option on the actual page. How can i enable Mac address filtering only for the wireless side?
i tried using the internet on my ipod but my wifii network wasnt connected so i went to my wifi settings on my ipod and the network name and password were changed. i tried resetting my router but nothing happened and i still cant get wifi on my ipod.
My mother accidentally turned off wireless or changed the password to the 2WIRE778 that we have and I can't get wifi on my iPod. So I have a small motorola router and it's wireless so if I hook it up to the original 2WIRE that has blocked wifi do you think I can get wifi off the second router with no password troubles or would I have to buy a special router that has no password? I don't know a lot about computers. And my Meyer has a password on our computer so I can't log on. so if I just hook up the 2nd router and possibly get WiFi do I need to do anything such as setup on the computer or can I plug it in and just go?
I have DIR600 Rev. B1 for about 2 years, and it's been working without a problem.Suddenly yesterday, I could not connect to the internet from my 2 laptop & blackberry.SSID & signal reception looks normal. On checking into the router's web interface, I noticed that the network key was changed into something else.....normal character like y2tz39s.
I'm being very curious. Has it been hacked ? Is it possible?I'm using WAP/WAP2 Security Setting for wireless connection.All other settings seems intact (firewall & even the SSID). Only the password was mysteriously changed. If I consider it being hacked, I wonder why the hacker didn't mess up all other settings ?
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .the configurtion is working fine.i am using client mode on the ezvpn client side.but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like [URL]. Anyway the content in the browser is changed to the URL that being configured such as url...How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
My son decided to update our router firmware, together with this the password was changed. My computer which hosts the Internet connection works fine, all other laptops have now been connected successfully after simply changing the password. However my wifes laptop won't play ball. It is a Samsung R510, with Vista Home Premium OS. It worked fine prior to updating the firmware. I have been through the process of changing the password and have the correct security encryption in place, exactly the same process as with the other laptops.
It then says successfully connected, but shows in the bottom right of the screen, Unidentified network access local only and will not connect when the browser is opened. I have tried to diagnose but the usual windows prompt to reboot both modem and router has no effect. I have set it to private, as advised elsewhere, I have switched the firewall off and removed security software, all to no avail.
I tried the command prompt, then ipconfig/renew. An error occurred while renewing interface Wireless Connection: unable to contact your DHCP server. Request has timed out. No operation can be performed on Local Area Connection while it has media disconnected. Let me stress that no changes were made to the laptop at all, it is simply not connecting following the firmware update and password change. All other computers, and phones, 6 in total, are all working fine from simply changing the password.
I returned to work and found a note that my Outlook and Windows password had been changed during the night by the IT department. Why would they need to change my password? Are they monitoring my work somehow.
I'm trying to setup an ASA and a UC540 side by side, to utilize the ASA for data networking and the UC540 for voice. This 'should' work fine, I just seem to be having an issue where the ASA seems to be blocking traffic from the voice network as it passes through.So here is the LAN setup:ASA: 1.1.1.1UC540: 1.1.1.2The UC has a voice vlan 10.1.1.1/24 and a service module at 10.1.10.1/30My PC uses the ASA as its default gateway, 1.1.1.1The ASA then has static routes to the UC networksRoute 10.1.1.1/24 1.1.1.2Route 10.1.10.1/30 1.1.1.2Ping from PC to the UC networks works fine. However, ping from the UC networks to PC fails. ASA logs show traffic being denied due to not having an established connection or something.My guess is that the traffic is being blocked because the egress and ingress paths are different? Traffic from the PC goes to the ASA, then gets routed to the UC and it works. However in the other direction, traffic from the UC is going directly to the PC and bypassing the ASA, because its a directly connected network and doesn't have to route through the ASA to get to the PC. The reply traffic from the PC DOES go through the ASA following its route table, thus the issue of the ASA not seeing the established connection?Same-security inter and intra interface is enabled.So I think I see the issue, I just don't know how to fix it. Is there something I can configure on the ASA to allow for this? My only other option would be to configure a /30 on a new vlan to handle the routing between the UC and ASA or something, but that seems like its going to make this simple setup way too complicated with extra networks, vlans, trunks, etc.I am running ASA version 8.4.5?
My E1500 enters a state where the LAN-side (broadcast, etc.) works, but the WAN-side (internet connection) just goes away. If I go unplug and replug the E1500 the internet connectivity comes back.When this happens, the wireless indicator on my desktop (Dell with Intel wifi) says I have an internet connection, but I clearly don't.
I have a Linksys E3000, have had it successfully connected for three months now. Recently I attempted to connect my xbox 360 to the wifi and had issues connecting it. So I called ATT to obtain the PPPoE username and password, which they reluctantly gave me. Entered that into the xbox and still unable to connect, so I have given up on the xbox for the time being, I'll post that issue in a different forum. Where my issue is now is since contacting ATT the WPA2 password I set up for the router no longer works. I cannot access the router setup page, and I cannot add any new wifi devices. Although, all of the previously connected wifi devices are still connected to the router despite this issue. Is there anyway to make the old password work, or do I have to reset the router and start from scratch, and God forbid contact ATT again?
Recently, I bought the E3200, and tried to configure its ports for gaming. Yet, whenever I would hit save settings, it would say my settings were saved, then return me to the settings page. But the settings would be blank. I tried downloading firmware from the website (which should say September 28), yet it still says I am running the firmware from September 1st, even after I applied the upgrade and followed through with the 50 second reboot process.
So, I guess my final question for any tech savvy person out there is "What is wrong with my router/firmware?" I am running the browser config in the most recent Firefox on the same MacBook I used to install the router, and haven't changed any settings other than the SSID and password.
configuring AAA on 1841 router, initially it authenticates me well using my TACAS+ login. but though i have configured enable password in router, router directly puts me in privilage mod without asking enable password .
my configs for AAA as below
aaa authentication login ACS group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec ACS group tacacs+ local aaa authorization commands 0 ACS group tacacs+ local aaa authorization commands 15 ACS group tacacs+ local aaa accounting commands 1 ACS start-stop group tacacs+ aaa accounting commands 15 ACS start-stop group tacacs+
I need to recover switch enable password, i have already configured AAA also, when i am tryig to follow below proceedure finally saying Authorization failed. how can i recover enable password,If I try to recover password like this description says [URL]
Step 1 Connect a terminal or PC with terminal-emulation software to the switch console port.
Step 2 Set the line speed on the emulation software to 9600 baud.
Step 3 Power off the switch. Reconnect the power cord to the switch and, within 15 seconds, press the Mode button while the System LED is still flashing green.
Base ethernet MAC Address: 00:0x:xx:xx:xx:xx Xmodem file system is available. The password-recovery mechanism is enabled.
The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software:
I have a cisco 1801 router that is not prompting for enable password.After loging into router thru telnet it puts direct into privelege mode without promting for enable password.Here is the configuration:
User Access Verification Username: adminPassword:xxxxx#sh runBuilding configuration... Current configuration : 2132 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname xxxxxx!boot-start-markerboot-end-marker!enable password 7 022F0A5D0208063555692B!no aaa new-model!!dot11 syslog!!ip cefno ip dhcp use vrf connectedip dhcp excluded-address 192.168.0.1 192.168.0.10!ip dhcp pool LAN import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1!!!multilink bundle-name authenticated!!username admin privilege 15 password 7 112017031E1C02181Dusername user privilege 3 password 7 091D1C5A100B111B05051033!!archivelog config hidekeys!!!!!interface ATM0no ip addressno atm ilmi-keepalivepvc xxxxx
We are installaing a new RSP720 on 7606 platform and facing a peculiar problem. It is prompting for a enable password. We have not configured anything on router yet, still it is asking for enable password.
I have created internal user on internal identiy store --> users with password & enable password , Similarly i have enabled max privilige level 15 under policy elements , authorisation & permission ,Device administration , shell profile .But i am unable to login into device using enable password , I am finding following error on my logg report
Failuire reason : 13029 Requested privilige level is too high .
I have a problem with an ASA5510 (8.0.4) firewall in South Africa (I'm in the UK).It's a replacement firewall that I am trying to configure remotely through a serial device with an internet facing connection, but the enable password is not working.I can connect to the device OK, type 'en' and when propted for the password whatever I use (blank, cisco, Cisco etc.) I get an 'invalid password' message.
Since I changed the password on my wireless router{linksys}, my desktop is fine but both laptops cannot find network connection. when I ipconfig/all I get "media disconnected" and no ip address.