J

3 Messages

 • 

92 Points

Fri, May 21, 2021 5:48 PM

Enable Password Fiasco

Hi All,


I'm working with a client who recently let go of their network engineer and hired our company to help with managing their network.  It appears that the enable password they were given by the engineer as he left is not the actual enable password, which leaves us in a bit of a situation.  

Typically, I would just say let's go and reboot the switches and do a password reset, but there are a lot of switches and they're spread out across the country, meaning it's going to be a slog.

They've got a AAA setup in the configuration.  I was curious as to whether a user could be somehow elevated on the RADIUS side so that when they logged in, they were already in enable mode.  

Just wanted to get thoughts on the subject and see if I'm just delaying the inevitable or if it's feasible.

Cheers

-J

Employee

 • 

22 Messages

 • 

538 Points

6 m ago

Hi - Please share the aaa config from the ICX.

show run | inc aaa

Let us see if there is a way.

Thanks

Vu

Employee

 • 

22 Messages

 • 

538 Points

If you have these two statements in the config, then we should be able to login the enable mode with a radius account:

SSH@ICX7150-C12-SW1(config)#show run | inc aaa
aaa authentication enable default radius local
aaa authentication login default radius local

Thanks,

Vu

3 Messages

 • 

92 Points

Hmm...it looks like that isn't the case (at least on the random sample that I've taken)

aaa authentication login default local radius

is the only configuration for AAA

Official Rep

 • 

210 Messages

 • 

3.1K Points

6 m ago

Hi Joel,

The authentication order set is local followed by radius, You can find more info on authentication order in the below link.

https://docs.commscope.com/bundle/fastiron-08090-commandref/page/GUID-E345B830-6EFF-4A96-9832-1B135115D8E6.html

https://docs.commscope.com/bundle/fastiron-08090-commandref/page/GUID-12709AE8-FF8D-458C-9A7E-9F885A4787DA.html

 If the problem persist, Pls open a support case so that our team can review the config and make the necessary changes.

Thanks

Jijo 

(edited)

3 Messages

 • 

92 Points

6 m ago

Thanks everyone.

Based on what I can see, the client's config does not include the authentication enable item, so it seems likely that we will have to do this device by device.

Thanks everyone for their input.

Important Announcement