Solved: Completely Remove AAA

johnlloyd_13 · ‎12-02-2020

hi,

is there a "quick" way to completely remove AAA in a device? like a "default" command used in a switch port?

if i just do a "no aaa new-model" and then re-added it back, all AAA config lines were back.

CSRv(config)#no aaa new-model
Changing configuration back to no aaa new-model is not supported.
Continue?[confirm]
CSRv(config)#
CSRv(config)#do sh run | s aaa
no aaa new-model
CSRv(config)#
CSRv(config)#aaa new-model
CSRv(config)#
CSRv(config)#do sh run | s aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

Georg Pauwen · ‎12-02-2020

Hello,

you need to manually remove the commands first, I don't think there is one command to clear all lines from a previous aaa new-model.

So first, negate the existing commands:

no aaa authentication login default group tacacs+ local
no aaa authentication enable default group tacacs+ enable
no aaa authorization exec default group tacacs+ local
no aaa authorization commands 1 default group tacacs+ if-authenticated
no aaa authorization commands 15 default group tacacs+ if-authenticated
no aaa authorization network default group tacacs+ local
no aaa accounting exec default start-stop group tacacs+
no aaa accounting commands 1 default start-stop group tacacs+
no aaa accounting commands 15 default start-stop group tacacs+
no aaa accounting network default start-stop group tacacs+
no aaa accounting system default start-stop group tacacs+

Then, execute 'no aaa new-model'. Then, when you add another 'aaa new-model', the configuration will be empty.

View solution in original post

balaji.bandi · ‎12-02-2020

short answer no - but removing aaa new-model is removing aaa config, other config will not have any effect since you removed global config. - is this make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-02-2020

Hello,

you need to manually remove the commands first, I don't think there is one command to clear all lines from a previous aaa new-model.

So first, negate the existing commands:

no aaa authentication login default group tacacs+ local
no aaa authentication enable default group tacacs+ enable
no aaa authorization exec default group tacacs+ local
no aaa authorization commands 1 default group tacacs+ if-authenticated
no aaa authorization commands 15 default group tacacs+ if-authenticated
no aaa authorization network default group tacacs+ local
no aaa accounting exec default start-stop group tacacs+
no aaa accounting commands 1 default start-stop group tacacs+
no aaa accounting commands 15 default start-stop group tacacs+
no aaa accounting network default start-stop group tacacs+
no aaa accounting system default start-stop group tacacs+

Then, execute 'no aaa new-model'. Then, when you add another 'aaa new-model', the configuration will be empty.