06-15-2012 04:26 PM
Hello Everyone,
We have a lab setup in which the devices are authenticated using Cisco ACS.
We will shortly start giving out these devices to users for testing different scenarios. During their testing, users might do a "write erase" which will also wipe out the aaa config from the devices.
Does anyone know of a way to always load a particular configuration(say aaa config) when a device is reloaded after issuing a "wr erase" command.
Thanks.
06-15-2012 06:58 PM
Why do the users need unrestricted level 15 enable access? Even if they need enable for some things, why not setup an intermediate privilege level user with only the privileged commands they need allowed. See this guide for more details.
If a user can "write erase" then the on-device configuration is gone. External intervention of some type is necessary. A backup copy of the desired configuration can be stored offline and one can "copy tftp (or other method - ftp, scp etc.) run" to restore it. You could store a known good config on the device's flash and copy it to running-config as well (but a level 15 user could delete that as well).
06-15-2012 07:07 PM
Hi Marvin,
A part of their testing may involve wiping the config. So we need to give them the access.
The tricky part is how do we add the aaa config back to the devices once they have been wiped clean.
06-15-2012 09:55 PM
As I mentioned in paragraph 2 of my original reply - I'm pretty sure external intervention would be required to pull a baseline configuration onto the device with the your aaa (and any other critical bits).
I would argue that if the users must have enough privilege to "write erase" then they need to accept the responsibility of doing a restore.
If that's unfeasible, you could have your machines set up for autoinstall from a local tftp server. See this link for details on how that works.
06-16-2012 10:00 AM
After a write erase, a switch will not be accessible from the network. You will be able to configure it from the serial console port or, as described before via DHCP/TFTP or DHCP/SNMP.
-- Yaron.
06-17-2012 11:29 PM
It may not be accessable via the network but I think it will do a bootp that can be used to restore a 'default' config, or even a config per device.
I don't recall the details, but if you sniff the traffic the router does after a write erase and reload, the thing will become clear.
You may also consider using a terminal server to provide console access.
Cheers,
Michel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide