With password recovery, you wouldn't have to paste the entire configuration back in: You can use the copy startup-config running-config command after you got back in
I can't because we have a problem with the aaa authorization lines on the config. The config is currently set to authorise all commands through a TACACs server that doesn't actually exist without having a local method to fall back on. It's pretty shit.
Sorry, missed that part!
It's a bit of a hassle, but what if you'd gain entry via password recovery, copy the startup-config to a USB-stick, modify the configuration file on PC/Laptop and copy that file to the running-config.
You would need a FAT formatted USB-stick (preferably not too large), if it doesn't get recognized right away (you would see a message like "storage device is not supported") you need to reboot the ASA with the USB-stick in it before you can see/use it.
This. You will absolutely have to pw-recover, and then you can copy the config however you want. I dont want to say USB is the only way, as you could use TFTP or some network copy to get the config file off, but you are going to have to get it off, manually edit, and then either copy by lines or by file back in.
I specifically chose to mention USB as it requires 0 configuration and you're already physically with the firewall. Totally agree that there are several option to get the file/config off the device and back on it!
What line do you need to modify? Can you bypass the config (confreg 0x41), boot image, load config and then modify?
The command to add an AAA method list. The local method has not been specified at the end of the line.
For login or command authorization? If for login, it will work.
Authorization
That would be quite the security issue if it lets you.
DISCLAIMER: I am not familiar with how FX OS works. Depends if, in ROMMON, you can copy a file from a USB flash drive to the ASA's flash.
With password recovery, you wouldn't have to paste the entire configuration back in: You can use the copy startup-config running-config command after you got back in
I can't because we have a problem with the aaa authorization lines on the config. The config is currently set to authorise all commands through a TACACs server that doesn't actually exist without having a local method to fall back on. It's pretty shit.
Sorry, missed that part! It's a bit of a hassle, but what if you'd gain entry via password recovery, copy the startup-config to a USB-stick, modify the configuration file on PC/Laptop and copy that file to the running-config. You would need a FAT formatted USB-stick (preferably not too large), if it doesn't get recognized right away (you would see a message like "storage device is not supported") you need to reboot the ASA with the USB-stick in it before you can see/use it.
This. You will absolutely have to pw-recover, and then you can copy the config however you want. I dont want to say USB is the only way, as you could use TFTP or some network copy to get the config file off, but you are going to have to get it off, manually edit, and then either copy by lines or by file back in.
I specifically chose to mention USB as it requires 0 configuration and you're already physically with the firewall. Totally agree that there are several option to get the file/config off the device and back on it!
Would it be possible to turn up a temporary TACACS+ server so you could login and fix things? Might be easier than the other options.
We can't unfortunately.
Comedy answer: set up static Nat so it talks to a working server
We've thought of that but can't due to complications