Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
7
Replies

Best practice for reenabling AAA

raaffffii
Level 1
Level 1

‎04-03-2016 12:45 AM - edited ‎03-10-2019 11:38 PM

Hi,

My question is about reenabling AAA on a device. I have a company A that had their devices and their AAA configuration. Now company A was bought by company B and the devices of company A are migrating to configuration standard of B. Network engineers of B receive access to A with line password and when they do aaa new-model they lock themselves as configuration of aaa was not removed but only turned of by "no aaa new-model".

I assume that best practice would be to instruct guys from A to remove whole config of AAA but lets say that I cannot do it. What's the best method to migrate to new aaa configuration?

Labels:
0 Helpful
7 Replies 7

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-03-2016 12:59 AM

Hi,

Could you share the sh run | in aaa output of the device ?

If not then you can go ahead and remove the aaa config for the A company and configure the new one for company B.

Since you have already used no aaa new-model that means you have turned off the AAA on the device.

Not sure why did you get lock out on the device ?

Regards,

Aditya

Please rate helpful posts.

0 Helpful

raaffffii
Level 1
Level 1
In response to Aditya Ganjoo

‎04-03-2016 01:07 AM

Hi Aditya,

Thank you for the answer. Both companies have their own ACS servers engineer from B has account only on ACS B. So when he enables aaa new-model when being logged in locally with a password old configuration takes into place. Old with aaa authorization so he now is unauthorized to do anything.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to raaffffii

‎04-03-2016 01:09 AM

Hi,

Yes you are correct.

So you can go ahead with removing the aaa authorization command.

Regards,

Aditya

please rate helpful posts.

0 Helpful

raaffffii
Level 1
Level 1
In response to Aditya Ganjoo

‎04-03-2016 01:19 AM

I don't know if you see this but when you do "no aaa new-model" then all the commens that you configured aaa authentication, authorization are somehow hidden and not removed. When you reenable aaa by "aaa new-model" then they apear once again in config. So the engineer does not have a chance to remove them as he locks himself just after enabling aaa.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to raaffffii

‎04-03-2016 02:03 AM

Hi,

How do you access the device ?

Is it via SSH/telnet/console ?

Regards,

Aditya

0 Helpful

raaffffii
Level 1
Level 1
In response to Aditya Ganjoo

‎04-03-2016 04:06 AM

via telnet

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to raaffffii

‎04-03-2016 04:28 AM

Hi,

Could you share the show run | in aaa and show run | sec vty config from the device ?

Regards,

Aditya

0 Helpful
Customers Also Viewed These Support Documents