https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867431#M36868 <P>Hi,</P> <P></P> <P>How do you access the device ?</P> <P></P> <P>Is it via SSH/telnet/console ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P></P> <P></P> Sun, 03 Apr 2016 09:03:21 GMT Aditya Ganjoo 2016-04-03T09:03:21Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867426#M36857 <P>Hi,</P> <P></P> <P>My question is about reenabling AAA on a device. I have a company A that had their devices and their AAA configuration. Now company A was bought by company B and the devices of company A are migrating to configuration standard of B. Network engineers of B receive access to A with line password and when they do aaa new-model they lock themselves as configuration of aaa was not removed but only turned of by "no aaa new-model".</P> <P>I assume that best practice would be to instruct guys from A to remove whole config of AAA but lets say that I cannot do it. What's the best method to migrate to new aaa configuration?</P> Mon, 11 Mar 2019 06:38:14 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867426#M36857 raaffffii 2019-03-11T06:38:14Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867427#M36859 <P>Hi,</P> <P></P> <P>Could you share the sh run | in aaa output of the device ?</P> <P></P> <P>If not then you can go ahead and remove the aaa config for the A company and configure the new one for company B.</P> <P></P> <P>Since you have already used no aaa new-model that means you have turned off the AAA on the device.</P> <P></P> <P>Not sure why did you <G class="gr_ gr_212 gr-alert gr_gramm gr_run_anim Grammar only-ins replaceWithoutSep" id="212" data-gr-id="212">get</G> lock out on the device ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P>Please rate helpful posts.</P> Sun, 03 Apr 2016 07:59:36 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867427#M36859 Aditya Ganjoo 2016-04-03T07:59:36Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867428#M36862 <P>Hi Aditya,</P> <P>Thank you for the answer. Both companies have their own ACS servers engineer from B has account only on ACS B. So when he enables aaa new-model when being logged in locally with a password old configuration takes into place. Old with aaa authorization so he now is unauthorized to do anything.</P> Sun, 03 Apr 2016 08:07:20 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867428#M36862 raaffffii 2016-04-03T08:07:20Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867429#M36866 <P>Hi,</P> <P></P> <P style="padding-left: 30px;"><G class="gr_ gr_15 gr-alert gr_gramm gr_run_anim Punctuation only-ins replaceWithoutSep" id="15" data-gr-id="15">Yes</G> you are correct.</P> <P style="padding-left: 30px;"></P> <P style="padding-left: 30px;">So you can go ahead with removing the aaa authorization command.</P> <P style="padding-left: 30px;"></P> <P style="padding-left: 30px;">Regards,</P> <P style="padding-left: 30px;"></P> <P style="padding-left: 30px;">Aditya</P> <P style="padding-left: 30px;"></P> <P style="padding-left: 30px;">please rate helpful posts.</P> Sun, 03 Apr 2016 08:09:40 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867429#M36866 Aditya Ganjoo 2016-04-03T08:09:40Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867430#M36867 <P>I don't know if you see this but when you do "no aaa new-model" then all the commens that you configured aaa authentication, authorization are somehow hidden and not removed. When you reenable aaa by "aaa new-model" then they apear once again in config. So the engineer does not have a chance to remove them as he locks himself just after enabling aaa.</P> Sun, 03 Apr 2016 08:19:57 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867430#M36867 raaffffii 2016-04-03T08:19:57Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867431#M36868 <P>Hi,</P> <P></P> <P>How do you access the device ?</P> <P></P> <P>Is it via SSH/telnet/console ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P></P> <P></P> Sun, 03 Apr 2016 09:03:21 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867431#M36868 Aditya Ganjoo 2016-04-03T09:03:21Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867432#M36870 <P>via telnet</P> Sun, 03 Apr 2016 11:06:53 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867432#M36870 raaffffii 2016-04-03T11:06:53Z https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867433#M36874 <P>Hi,</P> <P></P> <P>Could you&nbsp;share the show run | in aaa and show run | sec vty config from the device ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> Sun, 03 Apr 2016 11:28:26 GMT https://community.cisco.com/t5/network-access-control/best-practice-for-reenabling-aaa/m-p/2867433#M36874 Aditya Ganjoo 2016-04-03T11:28:26Z