cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10470
Views
11
Helpful
2
Replies

Completely Remove AAA

johnlloyd_13
Level 9
Level 9

hi,

is there a "quick" way to completely remove AAA in a device? like a "default" command used in a switch port?

if i just do a "no aaa new-model" and then re-added it back, all AAA config lines were back.

 

CSRv(config)#no aaa new-model
Changing configuration back to no aaa new-model is not supported.
Continue?[confirm]
CSRv(config)#
CSRv(config)#do sh run | s aaa
no aaa new-model
CSRv(config)#
CSRv(config)#aaa new-model
CSRv(config)#
CSRv(config)#do sh run | s aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

 

1 Accepted Solution

Accepted Solutions

Hello,

 

you need to manually remove the commands first, I don't think there is one command to clear all lines from a previous aaa new-model.

 

So first, negate the existing commands:

 

no aaa authentication login default group tacacs+ local
no aaa authentication enable default group tacacs+ enable
no aaa authorization exec default group tacacs+ local
no aaa authorization commands 1 default group tacacs+ if-authenticated
no aaa authorization commands 15 default group tacacs+ if-authenticated
no aaa authorization network default group tacacs+ local
no aaa accounting exec default start-stop group tacacs+
no aaa accounting commands 1 default start-stop group tacacs+
no aaa accounting commands 15 default start-stop group tacacs+
no aaa accounting network default start-stop group tacacs+
no aaa accounting system default start-stop group tacacs+

 

Then, execute 'no aaa new-model'. Then, when you add another 'aaa new-model', the configuration will be empty.

View solution in original post

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

short answer no - but removing aaa  new-model is removing aaa config, other config will not have any effect since you removed global config. - is this make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

you need to manually remove the commands first, I don't think there is one command to clear all lines from a previous aaa new-model.

 

So first, negate the existing commands:

 

no aaa authentication login default group tacacs+ local
no aaa authentication enable default group tacacs+ enable
no aaa authorization exec default group tacacs+ local
no aaa authorization commands 1 default group tacacs+ if-authenticated
no aaa authorization commands 15 default group tacacs+ if-authenticated
no aaa authorization network default group tacacs+ local
no aaa accounting exec default start-stop group tacacs+
no aaa accounting commands 1 default start-stop group tacacs+
no aaa accounting commands 15 default start-stop group tacacs+
no aaa accounting network default start-stop group tacacs+
no aaa accounting system default start-stop group tacacs+

 

Then, execute 'no aaa new-model'. Then, when you add another 'aaa new-model', the configuration will be empty.

Review Cisco Networking for a $25 gift card