topic Re: Removing AAA from a 9500 switch in Network Access Control

Removing AAA from a 9500 switch

chad.parish — Sat, 06 Aug 2022 19:16:54 GMT

I have a 9500 switch with just AAA new model configured, nothing else.

I want to remove it so that I can then configure login local under the VTY lines. Can this be done and does it require a reboot? Or is it easier to just globally configure the below commands (Note username and password are configured globally with privelge 15)

aaa authentication login default local
aaa authorization exec default local

Re: Removing AAA from a 9500 switch

Tim Glen — Sat, 06 Aug 2022 19:21:36 GMT

Instead of using default I prefer using method lists to tie things together. Here is a AAA config that will accomplish your goals.



!
aaa new-model
!
aaa authentication login CON-LOCAL local
aaa authorization exec CON-LOCAL local
aaa authorization console
!
!
line con 0
login authentication CON-LOCAL
authorization exec CON-LOCAL
!
line vty 0 15
login authentication CON-LOCAL
authorization exec CON-LOCAL
!
end
!

Re: Removing AAA from a 9500 switch

chad.parish — Sat, 06 Aug 2022 19:36:10 GMT

I like that, thank you, however out of curiosity what happens if I just put in no aaa new-model, since the only AAA config present is aaa new-model.

Would it kick me out before I could configure login local under the VTY lines? And can I even config login-local or is it just login after configuring no aaa new-model?

Re: Removing AAA from a 9500 switch

Tim Glen — Sat, 06 Aug 2022 19:44:55 GMT

Hey Chad,

> Would it kick me out before I could configure login local under the VTY lines?

No , you won't get booted off the switch.

> no aaa new-model

It's been a while but I **believe** you will get an prompt stating that isn't supported. If you choose to go past that prompt 'unexpected results may occur'.

Hope this helps.