https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058652#M1068718 I appreciate both suggestions.<BR /><BR />Thanks again! Fri, 03 Apr 2020 18:55:25 GMT BigK 2020-04-03T18:55:25Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058594#M1068707 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>what is the suggested method to configure aaa new-model and 802.x on a remote router without locking myself out of the router and if I did lock myself, what is the process to recover and access the device again.</P><P>&nbsp;</P><P>Here is my current config&nbsp;</P><P>aaa new-model<BR />!<BR />!<BR />aaa group server tacacs+ TACACS-GROUP<BR />server name SITE1-ISE1<BR />server name SITE2-ISE2<BR />!<BR />aaa authentication password-prompt TACACS.server.failed-Use.enable.password:<BR />aaa authentication login default group TACACS-GROUP local-case enable<BR />aaa authentication enable default group TACACS-GROUP enable<BR />aaa authorization console<BR />aaa authorization config-commands<BR />aaa authorization exec default group TACACS-GROUP local<BR />aaa authorization commands 15 default group TACACS-GROUP local<BR />aaa accounting exec default start-stop group TACACS-GROUP<BR />aaa accounting commands 15 default start-stop group TACACS-GROUP<BR />aaa accounting network default start-stop group TACACS-GROUP<BR />aaa accounting connection default start-stop group TACACS-GROUP<BR />aaa accounting system default start-stop group TACACS-GROUP</P><P>&nbsp;</P><P>line con 0<BR />password 7 05080F1C9961<BR />logging synchronous<BR />transport output none<BR />stopbits 1</P><P>line vty 0 15<BR />password 7 124D4<BR />logging synchronous<BR />transport input ssh<BR />transport output all</P><P>&nbsp;</P><P>Thanks !</P><P>&nbsp;</P> Fri, 03 Apr 2020 18:38:04 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058594#M1068707 BigK 2020-04-03T18:38:04Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058605#M1068710 <P>As Long as you are not saved the configuration, some one can reboot the device you can still able to Login using Local username and password.</P> <P>&nbsp;</P> <P>you can have 2 Open Session one you can try with radius and one open already with Local account.</P> <P>&nbsp;</P> Fri, 03 Apr 2020 18:14:34 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058605#M1068710 balaji.bandi 2020-04-03T18:14:34Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058631#M1068715 <P>Thanks BB.</P><P>&nbsp;</P><P>I am planning on sending the router with aaa config and saved config. any other suggestions?&nbsp;&nbsp;</P> Fri, 03 Apr 2020 18:36:06 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058631#M1068715 BigK 2020-04-03T18:36:06Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058645#M1068717 Hi,<BR />Ideally you should test the configuration on a local device, but...<BR /><BR />Before you make the changes use the "reload in X" command, which would reload the device in X minutes if you were to be locked out. Open a new ssh connection (don't close the old session), test the changes work as expected then cancel the reload command using "reload cancel". If you were to have issues and you were locked out you just need to wait until the reload command reboots the router and it reloads - obviously don't save the the configuration until you confirms it works as expected.<BR /><BR />HTH Fri, 03 Apr 2020 18:49:16 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058645#M1068717 Rob Ingram 2020-04-03T18:49:16Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058652#M1068718 I appreciate both suggestions.<BR /><BR />Thanks again! Fri, 03 Apr 2020 18:55:25 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058652#M1068718 BigK 2020-04-03T18:55:25Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058892#M1068727 <P>hi,</P><P>is this a new device or already in production?</P><P>don't forget these lines:</P><P><EM>tacacs-server host TACACS-1</EM><BR /><EM>tacacs-server host TACACS-2</EM><BR /><EM>tacacs-server directed-request</EM><BR /><EM>tacacs-server key &lt;KEY STRING&gt;</EM></P> Sat, 04 Apr 2020 04:13:00 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058892#M1068727 johnlloyd_13 2020-04-04T04:13:00Z https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058948#M1068729 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;I understand that you want to remotely enable AAA, without loosing access to the device, completely. I've done some changes to your config, explained below:</P><P>&nbsp;</P><P>1. Ensure you have your TACACS servers defined as below:</P><P><SPAN>tacacs server SITE1-ISE1</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>address ipv4 x.x.x.x</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>key xxx</SPAN></P><P><SPAN>!</SPAN></P><P><SPAN>tacacs server SITE2-ISE2</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>address ipv4 x.x.x.x</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>key xxx</SPAN></P><P><SPAN>aaa group server tacacs+ TACACS-GROUP</SPAN><BR />&nbsp;ip tacacs source-interface xxx&nbsp;<STRONG>(ensure to hardcode this,&nbsp;otherwise, depending on your routing design, it may happen that the&nbsp;device uses different source IP's to speak with&nbsp;the TACACS server and it's&nbsp;gonna get rejected)</STRONG></P><P>&nbsp;</P><P>2. If you would use "non-default" AAA lists, you would not loose access at all. With "default" AAA list follow this order of commands:</P><P>!</P><P><SPAN>aaa new-model</SPAN></P><P><SPAN>tacacs server SITE1-ISE1</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>address ipv4 1.1.1.1</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>key xxx</SPAN></P><P><SPAN>!</SPAN></P><P><SPAN>tacacs server SITE2-ISE2</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>address ipv4 2.2.2.2</SPAN></P><P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>key xxx</SPAN></P><P><SPAN>aaa group server tacacs+ TACACS-GROUP</SPAN></P><P><SPAN>!<BR />aaa group server tacacs+ TACACS-GROUP<BR />server name SITE1-ISE1<BR />server name SITE2-ISE2<BR /></SPAN></P><P>!</P><P>!<BR />At this point stop and use the "test aaa group&nbsp;<SPAN>TACACS-GROUP server 1.1.1.1 xyz xyz legacy" and "test aaa group&nbsp;TACACS-GROUP server 2.2.2.2 xyz xyz legacy". If authentication is not successful, fix the TACACS integration configuration and move on only after having this functional.</SPAN></P><P><SPAN>!</SPAN></P><P><SPAN>!<BR />!</SPAN></P><P><SPAN>aaa authentication password-prompt TACACS.server.failed-Use.enable.password:</SPAN><BR /><SPAN>aaa authentication login default group TACACS-GROUP local-case enable</SPAN><BR /><SPAN>aaa authentication enable default group TACACS-GROUP enable</SPAN><BR /><SPAN>aaa authorization console</SPAN><BR /><SPAN>aaa authorization commands 15 default group TACACS-GROUP local</SPAN><BR /><SPAN>aaa accounting exec default start-stop group TACACS-GROUP</SPAN><BR /><SPAN>aaa accounting commands 15 default start-stop group TACACS-GROUP</SPAN><BR /><SPAN>aaa accounting network default start-stop group TACACS-GROUP</SPAN><BR /><SPAN>aaa accounting connection default start-stop group TACACS-GROUP</SPAN><BR /><SPAN>aaa accounting system default start-stop group TACACS-GROUP</SPAN></P><P><STRONG>aaa authorization exec default group TACACS-GROUP local</STRONG></P><P><STRONG>aaa authorization config-commands</STRONG></P><P>!</P><P>!</P><P>You should not loose access, but you would reconnect in order to authenticate and test now the TACACS functionality.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Sat, 04 Apr 2020 09:00:43 GMT https://community.cisco.com/t5/network-security/aaa-new-model/m-p/4058948#M1068729 Cristian Matei 2020-04-04T09:00:43Z