Title: ACS6000: TACACS+ or RADIUS Authentication Lockout - How to Recovery?
Issue: ACS6000 configured with an Authentication Type: TACACS+ Down Local, TACACS+, RADIUS Down Local, or RADIUS. However, during its maintenance, it is unable to login with either TACACS+ or RADIUS account and/or a local account such as admin and root account. How to regain access with a local account for further troubleshooting?
Requirement: It must be performed at the ACS6000 unit with a serail console access via HyperTerm connection.
Workaround:
In the HyperTerm window, cold boot the ACS6000 and looking for the message "Hit any key to stop autoboot", and then press a key (once) to stop. Type in the following command and press enter:
hw_boot single
bash-3.00#
bash-3.00# cat /etc/appliance.ini
Note that in the output AUTH section.
[auth]
types = dsviewdownlocal,dsview,dsviewlocal,kerberosdownlocal,kerberos,kerberoslocal,ldapdownlocal,ldap,ldaplocal,local,localradius,localtacplus,localnis,otp,otplocal,radiusdownlocal,radius,radiuslocal,tacplusdownlocal,tacplus,tacpluslocal,nis,nislocal,nisdownlocal
type-ppp = local
type = tacplus
root-console-door = no
single-sign-on = no
Note: The entry is 'root-console-door = no' needed firmware 2.4.x version or higher. The ALLOW fallback to Local type for root user in WebGUI/ SSH.
Change the entries like below and save:
type-ppp = local
type = local
root-console-door = yes
single-sign-on = no
Then,
bash-3.00# reboot
Once it is fully booted, the authentication type should be configured with what has set in the appliance.INI file. This method is allow to local with a local account.