Re: Revert ASA back to Local Authentication/Authorization

Steven Williams · ‎01-14-2019

aaa-server TACACS protocol tacacs+
reactivation-mode depletion deadtime 2
aaa-server TACACS (management) host 10.20.0.60
key *****
aaa-server TACACS (management) host 10.21.0.60
key *****
user-identity default-domain LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting serial console TACACS
aaa accounting enable console TACACS
aaa accounting command TACACS

!

FW1/pri/act(config)# aaa authentication ssh console LOCAL ?

configure mode commands/options:
<cr>
FW1/pri/act(config)# aaa authentication ssh console LOCAL
Range already exists.
FW1/pri/act(config)#

what is the steps to move ASA managed via ISE/TACACS back to Local authentication? I need to release some devices for a selling of a division of my company. I really don't want to mess it up since these are in another country.

balaji.bandi · ‎01-14-2019

you need to remove the command as below example and run using LOCAL.

no aaa authentication ssh console TACACS LOCAL

aaa authentication ssh console LOCAL

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Deepak Kumar · ‎01-14-2019

Hi,

Remove AAA servers (Trace+):

no aaa-server TACACS host 10.20.0.60
no aaa-server TACACS host 10.21.0.60

no aaa authentication ssh console TACACS LOCAL

aaa authentication ssh console LOCAL

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Sheraz.Salim · ‎01-14-2019

here you go mate

clear configuration aaa-server

!

crypto key gen rsa label Firewall module 1024

!

aaa authentication ssh console LOCAL

!

username is admin priv 15 password cisco

please do not forget to rate.

Marius Gunnerud · ‎01-15-2019

1. issue the command "reload in 15"

2. First change the current local username and password. (add a new username and remove the old username)

3. issue the command clear configure aaa

4. issue the command clear configure aaa-server

5. re-add aaa authentication... commands to specify only LOCAL user database

6. disconnect and test login

7. if the new login works as expected issue the command "reload cancel"

8. save configuration

You need to remove the aaa authentication enteries first otherwise you will get an error that the aaa-servers are still in use.

--
Please remember to select a correct answer and rate helpful posts

Deepak Kumar · ‎01-20-2019

Hi,

@Marius Gunnerud Thanks, I like suggested commands as reload 15 and reload cancel. It is good if we are really in the testing phase and will working on remotely. But I don't like both commands in production.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Marius Gunnerud · ‎01-21-2019

It is mentioned in the original post that these devices are in another country. So depending on if there is an IT support person with a console cable or that there is a console switch present at the remote location there needs to be a method to recover the configuration if he loses connectivity. Many remote sites are too small to justify the cost of a console switch and often do not have personell with knowledge of console cables or network devices for that matter.

I should have probably included that this would be best done in a service window.

--
Please remember to select a correct answer and rate helpful posts