Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
0
Helpful
2
Replies

Configuring AAA New-Model brings back old config.

Daniel Smith
Level 1
Level 1

‎04-11-2011 01:33 PM - edited ‎03-10-2019 05:59 PM

We are assuming responsibility for a set of network gear from a vendor that developed an app for us. They had all the gear authenticate against their radius server. My task today is to remove that config, and point to our ACS servers using tacacs. I thought this would be an easy copy and paste, but when I put in our standard aaa new-model config, it appears like their config involving radius parameters, comes back into play. I have ended up being unable to access these devices, getting 'Authorization Failed' after putting in my user credentials and password. Any suggestions on this would be a big help!

1 person had this problem
Labels:
0 Helpful
2 Replies 2

andamani
Cisco Employee
Cisco Employee

‎04-12-2011 03:13 AM

Hi,

Could you please let us know the Switch / router model and code you are running?

Regards,

Anisha

0 Helpful

Daniel Smith
Level 1
Level 1
In response to andamani

‎04-12-2011 05:02 AM

This has occurred on various platforms, but one example is the 2821 router with c2800nm-ipbasek9-mz.124-22.T1.bin.

Here is an example of what is happening:

Beginning Config:

testsw#sh run | inc radius
aaa authentication login default group radius enable
aaa authentication enable default group radius enable
aaa authorization exec default group radius none
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network system start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius

ip radius source-interface Vlan99
radius-server host 10.57.132.21 auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server timeout 1
radius-server key 7 0716376F6B0A0A200F2A2F5420240E171A39170A3E03355352

When I issue 'no aaa new-model', the radius server configs disappear:

testsw(config)#no aaa new-model
testsw(config)#
testsw(config)#do sh run | inc radius
ip radius source-interface Vlan99
testsw(config)#

When I re-apply just the 'aaa new-model' command:

testsw(config)#do sh run | begin aaa new-model
aaa new-model
aaa authentication login default group radius enable
aaa authentication enable default group radius enable
aaa authorization exec default group radius none
aaa accounting send stop-record authentication failure
aaa accounting session-duration ntp-adjusted
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network system start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
!

testsw(config)#do sh run | inc radius


ip radius source-interface Vlan99
radius-server host 10.57.132.21 auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server timeout 1
radius-server key 7 0716376F6B0A0A200F2A2F5420240E171A39170A3E03355352

So, just putting back the aaa new-model command, by itself, brings back all the former aaa new-model commands, and the radius server commands. We run tacacs to a pair of ACS servers for all our other stuff, so maybe this behaviour is unique to radius...not really sure. Anyway, the process of changing has hosed up three devices requiring a reload, and one that I dorked up bad enough to have to rebuild the device config!

0 Helpful
Customers Also Viewed These Support Documents