Really messed up please help!!

[dekelley1]

We have equipment set up on the freeway for tolling and the equipment can only be taken down during planned outages. Last night was one of those planned outages for maintnance. I replaced two 2950 switches with 3650's. I configured RADIUS server for authentication including the console and saved the config. I then tested the switch at my desk and noticed I couldn't ping, I then saw I didn't do no shut on the Vlan int. So I changed the config ended the console session and turned off the switch.

Then I went down to the freeway and installed both switches and what do you know?!?! I can't access the switch from the console or VTY lines. So stupid, I didn't save the config after making the Vlan config change. All layer two is working fine but I have no managment or layer three access!

Could anyone help me in finding a way to access the switch with out bringing it down? The state won't allow it so I'm not sure what to do, my config is below:

thanks in advance

hostname tn24thstsw
!
aaa new-model
aaa authentication login TNB-Admin-Ops group radius local enable
aaa authorization exec default group radius
!
username xxxx privilege 15 password 7 053F260C2E414F584B
username xxxx privilege 15 password 7 107A291A0A1A135A5E
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
spanning-tree portfast
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast
!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
spanning-tree portfast
!
interface FastEthernet0/21
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 172.27.3.88 255.255.248.0
no ip route-cache
shutdown
!
ip classless
ip http server
!
logging trap debugging
logging 172.27.1.130
radius-server host 172.27.1.57 auth-port 1812 acct-port 1813 key 7 073F2943400A183612062B2D5569
radius-server vsa send authentication
!
control-plane
!
!
line con 0
line vty 0 4
login authentication TNB-Admin-Ops
line vty 5 15
!
ntp server 172.27.0.230
end

Here is the Error I get when trying to console in.

Press RETURN to get started.



% Authorization failed.





































































tn24thstsw con0 is now available











Press RETURN to get started.

 

[dekelley1]

**Bump**

 

[lif_andi]

Any reason you can think of why authorization is failing ? Are you getting IP connectivity ? Are you getting prompted for user and pass when you try to connect ?

If the answer to those questions is no, then the best thing you could do is tell your boss about it as soon as possible so that a planned downtime can be scheduled and the problem can be fixed.

An extra question: Are the switches working as intended ?

 

[drebo]

Auth is failing because you don't have an authorization method configured under line con 0, which you'll need to do since you have aaa new-model configured. Since your only L3 interface is shut down, you can't get vty access.

In short, you're going to have to power cycle the equipment and perform a password reset procedure (pretty easy, takes about 5 minutes.)

 

[lif_andi]

Missed the "shutdown" command under VLAN 1... drebo is right, you'll have to power cycle. Sorry mate.

 

[RadiclDreamer]

I dont see a default gateway or any routing info listed.

 

[SecurityTheatre]

I'm thinking that the city of Tacoma would not appreciate having their password posted in an online forum (I don't think you're actually in Tacoma, but I think you'll get my meaning).

I also suggest changing those passwords now, and any other devices that have it (that includes your RADIUS server - which might not be in Tacoma- heh).

I also suggest removing the passwords from this post.

If supported, don't use PASSWORD 7. It's awful security.

As for the authentication, the previous post seems correct and a reset procedure may be necessary.

 

[dekelley1]

City of Tacoma? where does it say I'm in Tacoma? Thanks for all your replies, I don't need a default gateway as this network is not accessible from the outside world and the machine I'm managing from is w/in the same network. Also, this setup is temp as we are testing new equipment, which is why I really needed my management up.

So I configured another switch, connected the switches via gbic uplink and can now manage the new equipment that is connected to the other switch. It will just have to stay like this until the next shutdown.

 

[lif_andi]

Read what SecurityTheatre is saying though, these passwords are not very difficult to decrypt.

Finding out where you are isn't either, and putting 2 and 2 together is not hard if you'd really want to.... just a friendly heads up from good natured posters that it´s not the best idea to post these passwords on a public forum....

The fact that you didn't get the Ta***a hint is Ph***Se**A**....

 

[drebo]

Cisco type 7 passwords are decryptable: http://www.ibeast.com/content/tools/CiscoPassword/

When configuring usernames, use "username blah priv 15 secret 1234" and it'll either MD5 hash it or it'll use SHA (on newer stuff configured to do so.)

 

[alkemyst]

OP, you will need to do a password recovery as noted. Setup password encryption.

Since you are going to be in there you may as well do some best practices:

crypto key generate rsa general-keys mod 2048
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2

line vty 0 15
exec-timeout 30 0
logging synchronous level all limit 100
transport input ssh
transport output ssh


• Enable TCP keepalives.
service tcp-keepalives-in
service tcp-keepalives-out

• Enable recommended specified services
service nagle
service linenumber
service sequence-numbers
service password-encryption

• Disable http / https access
no ip http server
no ip http secure-server

• Enable logging timestamps
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

• Disable unnecessary services
no service pad
no service finger
no service udp-small-servers
no service tcp-small-servers
no service slave-log


• Disable IP Source Route
no ip source-route

• General Layer-3 Interface Security Settings
no mop enabled
no ip redirects
no ip proxy-arp

maybe add login local to your console and vty's as well

 

[dekelley1]

Read what SecurityTheatre is saying though, these passwords are not very difficult to decrypt.

Finding out where you are isn't either, and putting 2 and 2 together is not hard if you'd really want to.... just a friendly heads up from good natured posters that it´s not the best idea to post these passwords on a public forum....

The fact that you didn't get the Ta***a hint is Ph***Se**A**....

Oh I did listen and appreciate the warning. When the testing is complete and we go into final production I will defiantly implement your suggestions. Even though this network is isolated none of the username/passwords would remain the same anyway.