Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
20
Helpful
6
Replies

aaa new-model

Go to solution
BigK
Level 1
Level 1

‎04-03-2020 11:04 AM - edited ‎04-03-2020 11:38 AM

Hello, 

 

what is the suggested method to configure aaa new-model and 802.x on a remote router without locking myself out of the router and if I did lock myself, what is the process to recover and access the device again.

 

Here is my current config 

aaa new-model
!
!
aaa group server tacacs+ TACACS-GROUP
server name SITE1-ISE1
server name SITE2-ISE2
!
aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TACACS-GROUP local
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP
aaa accounting system default start-stop group TACACS-GROUP

 

line con 0
password 7 05080F1C9961
logging synchronous
transport output none
stopbits 1

line vty 0 15
password 7 124D4
logging synchronous
transport input ssh
transport output all

 

Thanks !

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎04-04-2020 02:00 AM

Hi,

 

   I understand that you want to remotely enable AAA, without loosing access to the device, completely. I've done some changes to your config, explained below:

 

1. Ensure you have your TACACS servers defined as below:

tacacs server SITE1-ISE1

 address ipv4 x.x.x.x

 key xxx

!

tacacs server SITE2-ISE2

 address ipv4 x.x.x.x

 key xxx

aaa group server tacacs+ TACACS-GROUP
 ip tacacs source-interface xxx (ensure to hardcode this, otherwise, depending on your routing design, it may happen that the device uses different source IP's to speak with the TACACS server and it's gonna get rejected)

 

2. If you would use "non-default" AAA lists, you would not loose access at all. With "default" AAA list follow this order of commands:

!

aaa new-model

tacacs server SITE1-ISE1

 address ipv4 1.1.1.1

 key xxx

!

tacacs server SITE2-ISE2

 address ipv4 2.2.2.2

 key xxx

aaa group server tacacs+ TACACS-GROUP

!
aaa group server tacacs+ TACACS-GROUP
server name SITE1-ISE1
server name SITE2-ISE2

!

!
At this point stop and use the "test aaa group TACACS-GROUP server 1.1.1.1 xyz xyz legacy" and "test aaa group TACACS-GROUP server 2.2.2.2 xyz xyz legacy". If authentication is not successful, fix the TACACS integration configuration and move on only after having this functional.

!

!
!

aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP
aaa accounting system default start-stop group TACACS-GROUP

aaa authorization exec default group TACACS-GROUP local

aaa authorization config-commands

!

!

You should not loose access, but you would reconnect in order to authenticate and test now the TACACS functionality.

 

Regards,

Cristian Matei.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-03-2020 11:14 AM

As Long as you are not saved the configuration, some one can reboot the device you can still able to Login using Local username and password.

 

you can have 2 Open Session one you can try with radius and one open already with Local account.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
BigK
Level 1
Level 1
In response to balaji.bandi

‎04-03-2020 11:36 AM

Thanks BB.

 

I am planning on sending the router with aaa config and saved config. any other suggestions?  

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to BigK

‎04-03-2020 11:49 AM

Hi,
Ideally you should test the configuration on a local device, but...

Before you make the changes use the "reload in X" command, which would reload the device in X minutes if you were to be locked out. Open a new ssh connection (don't close the old session), test the changes work as expected then cancel the reload command using "reload cancel". If you were to have issues and you were locked out you just need to wait until the reload command reboots the router and it reloads - obviously don't save the the configuration until you confirms it works as expected.

HTH

Go to solution
BigK
Level 1
Level 1
In response to Rob Ingram

‎04-03-2020 11:55 AM

I appreciate both suggestions.

Thanks again!
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to BigK

‎04-03-2020 09:13 PM

hi,

is this a new device or already in production?

don't forget these lines:

tacacs-server host TACACS-1
tacacs-server host TACACS-2
tacacs-server directed-request
tacacs-server key <KEY STRING>

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎04-04-2020 02:00 AM

Hi,

 

   I understand that you want to remotely enable AAA, without loosing access to the device, completely. I've done some changes to your config, explained below:

 

1. Ensure you have your TACACS servers defined as below:

tacacs server SITE1-ISE1

 address ipv4 x.x.x.x

 key xxx

!

tacacs server SITE2-ISE2

 address ipv4 x.x.x.x

 key xxx

aaa group server tacacs+ TACACS-GROUP
 ip tacacs source-interface xxx (ensure to hardcode this, otherwise, depending on your routing design, it may happen that the device uses different source IP's to speak with the TACACS server and it's gonna get rejected)

 

2. If you would use "non-default" AAA lists, you would not loose access at all. With "default" AAA list follow this order of commands:

!

aaa new-model

tacacs server SITE1-ISE1

 address ipv4 1.1.1.1

 key xxx

!

tacacs server SITE2-ISE2

 address ipv4 2.2.2.2

 key xxx

aaa group server tacacs+ TACACS-GROUP

!
aaa group server tacacs+ TACACS-GROUP
server name SITE1-ISE1
server name SITE2-ISE2

!

!
At this point stop and use the "test aaa group TACACS-GROUP server 1.1.1.1 xyz xyz legacy" and "test aaa group TACACS-GROUP server 2.2.2.2 xyz xyz legacy". If authentication is not successful, fix the TACACS integration configuration and move on only after having this functional.

!

!
!

aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP
aaa accounting system default start-stop group TACACS-GROUP

aaa authorization exec default group TACACS-GROUP local

aaa authorization config-commands

!

!

You should not loose access, but you would reconnect in order to authenticate and test now the TACACS functionality.

 

Regards,

Cristian Matei.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card