Changing aaa authentication from TACACS to Local

raghav.rai · ‎01-03-2024

Hello,

I have a Cisco 9600 device in the network with aaa configure as below. Right now all access to the device require aaa authentication. I am going for a migration where I will have to change the management interface from current vlan 995 to loopback interface, Since i will have to change ip tacacs source-interface and ssh source interface I have a fear for losing remote access. So i am planning to create a new username with secret for the change and i need to change the AAA authentication from remote to local. Can you please suggest what changes will accomplish this? Is there any other option to do this without loosing remote/console access to the box

username Admin privilege 15 secret xxxx

Switch#sh run | sec aaa
aaa new-model
aaa local authentication attempts max-fail 3
aaa group server tacacs+ KCOM
server-private 10.x.x.x key 7 xxxxxxxxxxxxxxxxxxxxxxxxx
server-private 10.x.x.y key 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ip vrf forwarding Corp
ip tacacs source-interface Vlan995
aaa authentication login default group tacacs+ group ZZZ line
aaa authentication enable default group ZZZ enable line
aaa accounting exec default start-stop group ZZZ
aaa accounting commands 15 default start-stop group ZZZ
aaa accounting network default start-stop group ZZZ
aaa session-id common

line con 0
password 7 xxxx
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 xxxxx

MHM Cisco World · ‎01-03-2024

You use line as aaa login auth fallback.

So if you SW can not connect to aaa server the SW will use line password to access.

For enable with line as fallback I will check if it works or not.

MHM

raghav.rai · ‎01-04-2024

Thank you MHM,

Will you be able to test this ?

If I add below lines, will it change the console password to the new username and new secret created ?

#conf t

#aaa authentication login console local

#line con 0

#login authentication console

# username new privilege 15 secret xxxx

Thanks again,

Raghavendra

raghav.rai · ‎01-04-2024

Hello MHM,

Did you get a chance to check this?

Tks,

Raghavendra

Ruben Cocheno · ‎01-04-2024

@raghav.rai

Open two remote sessions from the closest source where you connecting, and change to local authentication using local at the end of your authentication as below. So if Tacacs stop responding then goes local.

aaa authentication login default group tacacs+ group ZZZ local

If you have the new IP configured on ISE in advance, the authentication/authorization would not be problematic assuming the device reaches the PSNs.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Richard Burts · ‎01-04-2024

I have a suggestion about how to deal with the possibility that you might lose connectivity to the device while making the config changes:

1) use copy run start to be sure that the device has a fresh copy of the current config.

2) schedule a reload (reload in x, I would not use a single digit number, I might use 30 but if you think that is too long then perhaps use 10)

3) make your config changes

4) if the config changes do cause you to lose connectivity then the device will reload and you can establish connection again, and figure on a way to make the config changes that does not drop the connection.

5) if the config changes are successful and you still have connectivity then cancel the scheduled reload.

HTH

Rick

raghav.rai · ‎01-04-2024

Hello Richard,

It is a good idea but in my case switch is VSS pair (9606R). Reload will take 20 mins to come back and VSS reload is a bit risky option considering a very small change window. So I am looking for a confirmed command which will make my console password as local password and rest on aaa.