04-03-2020 11:04 AM - edited 04-03-2020 11:38 AM
Hello,
what is the suggested method to configure aaa new-model and 802.x on a remote router without locking myself out of the router and if I did lock myself, what is the process to recover and access the device again.
Here is my current config
aaa new-model
!
!
aaa group server tacacs+ TACACS-GROUP
server name SITE1-ISE1
server name SITE2-ISE2
!
aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TACACS-GROUP local
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP
aaa accounting system default start-stop group TACACS-GROUP
line con 0
password 7 05080F1C9961
logging synchronous
transport output none
stopbits 1
line vty 0 15
password 7 124D4
logging synchronous
transport input ssh
transport output all
Thanks !
Solved! Go to Solution.
04-04-2020 02:00 AM
Hi,
I understand that you want to remotely enable AAA, without loosing access to the device, completely. I've done some changes to your config, explained below:
1. Ensure you have your TACACS servers defined as below:
tacacs server SITE1-ISE1
address ipv4 x.x.x.x
key xxx
!
tacacs server SITE2-ISE2
address ipv4 x.x.x.x
key xxx
aaa group server tacacs+ TACACS-GROUP
ip tacacs source-interface xxx (ensure to hardcode this, otherwise, depending on your routing design, it may happen that the device uses different source IP's to speak with the TACACS server and it's gonna get rejected)
2. If you would use "non-default" AAA lists, you would not loose access at all. With "default" AAA list follow this order of commands:
!
aaa new-model
tacacs server SITE1-ISE1
address ipv4 1.1.1.1
key xxx
!
tacacs server SITE2-ISE2
address ipv4 2.2.2.2
key xxx
aaa group server tacacs+ TACACS-GROUP
!
aaa group server tacacs+ TACACS-GROUP
server name SITE1-ISE1
server name SITE2-ISE2
!
!
At this point stop and use the "test aaa group TACACS-GROUP server 1.1.1.1 xyz xyz legacy" and "test aaa group TACACS-GROUP server 2.2.2.2 xyz xyz legacy". If authentication is not successful, fix the TACACS integration configuration and move on only after having this functional.
!
!
!
aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP
aaa accounting system default start-stop group TACACS-GROUP
aaa authorization exec default group TACACS-GROUP local
aaa authorization config-commands
!
!
You should not loose access, but you would reconnect in order to authenticate and test now the TACACS functionality.
Regards,
Cristian Matei.
04-03-2020 11:14 AM
As Long as you are not saved the configuration, some one can reboot the device you can still able to Login using Local username and password.
you can have 2 Open Session one you can try with radius and one open already with Local account.
04-03-2020 11:36 AM
Thanks BB.
I am planning on sending the router with aaa config and saved config. any other suggestions?
04-03-2020 11:49 AM
04-03-2020 11:55 AM
04-03-2020 09:13 PM
hi,
is this a new device or already in production?
don't forget these lines:
tacacs-server host TACACS-1
tacacs-server host TACACS-2
tacacs-server directed-request
tacacs-server key <KEY STRING>
04-04-2020 02:00 AM
Hi,
I understand that you want to remotely enable AAA, without loosing access to the device, completely. I've done some changes to your config, explained below:
1. Ensure you have your TACACS servers defined as below:
tacacs server SITE1-ISE1
address ipv4 x.x.x.x
key xxx
!
tacacs server SITE2-ISE2
address ipv4 x.x.x.x
key xxx
aaa group server tacacs+ TACACS-GROUP
ip tacacs source-interface xxx (ensure to hardcode this, otherwise, depending on your routing design, it may happen that the device uses different source IP's to speak with the TACACS server and it's gonna get rejected)
2. If you would use "non-default" AAA lists, you would not loose access at all. With "default" AAA list follow this order of commands:
!
aaa new-model
tacacs server SITE1-ISE1
address ipv4 1.1.1.1
key xxx
!
tacacs server SITE2-ISE2
address ipv4 2.2.2.2
key xxx
aaa group server tacacs+ TACACS-GROUP
!
aaa group server tacacs+ TACACS-GROUP
server name SITE1-ISE1
server name SITE2-ISE2
!
!
At this point stop and use the "test aaa group TACACS-GROUP server 1.1.1.1 xyz xyz legacy" and "test aaa group TACACS-GROUP server 2.2.2.2 xyz xyz legacy". If authentication is not successful, fix the TACACS integration configuration and move on only after having this functional.
!
!
!
aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP
aaa accounting system default start-stop group TACACS-GROUP
aaa authorization exec default group TACACS-GROUP local
aaa authorization config-commands
!
!
You should not loose access, but you would reconnect in order to authenticate and test now the TACACS functionality.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide