Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2692
Views
15
Helpful
1
Replies

Perventing aaa lock out on router

Go to solution
BigK
Level 1
Level 1

‎11-02-2018 07:48 AM

Hello,

 

I have a router in remote location that I sent there without aaa config. Now that the router is up and accessible remotely, I would like to have aaa configured. Last time, I had a bad experience locking myself from the exc command. My question is how I can implement aaa in safe way that I will not lock out my self from either accessing the router of executing the commands at the exc level. I have ISE + Tacacs

 

aaa authentication password-prompt TACACS.server.failed-Use.enable.password:
aaa authentication login default group TACACS-GROUP local-case enable
aaa authentication enable default group TACACS-GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TACACS-GROUP local
aaa authorization commands 15 default group TACACS-GROUP local
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
aaa accounting network default start-stop group TACACS-GROUP
aaa accounting connection default start-stop group TACACS-GROUP

 

Thanks!

Karim

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2018 03:15 PM

couple of step these kind of situation when you configure remotly if no one available to in the far end.

 

1. write configuration before changing anything (at this time all working as expected)

2. Create a Local username and password with admin rights of 15,

3, Keep open 2 SSH Sessions always.

4. setup a reload time example as below 

#reload at 05:00 2 nov  - this is 5 am nov 2nd ( setup this for your need like 10 or 20min after your
 config start - if something go wrong the device will reboot automatically with orginal config.

#show reload  - will show the time of reload.

5. use one of ssh window paste the aaa config - do correct order of operation 1 line at a time ( hopefully you have all setup done ISE/ ACS side).

6. check other window you still have access.

7. if the configuration success, open another SSH session check AAA working.

8. if all working - remove the reload session 

#reload cancel

9. write configuration.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

1 Reply 1

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2018 03:15 PM

couple of step these kind of situation when you configure remotly if no one available to in the far end.

 

1. write configuration before changing anything (at this time all working as expected)

2. Create a Local username and password with admin rights of 15,

3, Keep open 2 SSH Sessions always.

4. setup a reload time example as below 

#reload at 05:00 2 nov  - this is 5 am nov 2nd ( setup this for your need like 10 or 20min after your
 config start - if something go wrong the device will reboot automatically with orginal config.

#show reload  - will show the time of reload.

5. use one of ssh window paste the aaa config - do correct order of operation 1 line at a time ( hopefully you have all setup done ISE/ ACS side).

6. check other window you still have access.

7. if the configuration success, open another SSH session check AAA working.

8. if all working - remove the reload session 

#reload cancel

9. write configuration.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents