Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15959
Views
0
Helpful
2
Replies

Removing TACACS Configuration - Very Quick Question...

mattipler
Level 1
Level 1

‎03-27-2019 01:25 AM

Hello guys,

 

Very quick question. I've two remote 2960 stacks upon which I want to safely remove TACACS configuration, so future authentication is done against local usernames / passwords. My TACACS configuration is as displayed below... 

 

Switch(config)#aaa new-model
Switch(config)#tacacs server TACACSSERVER1
Switch(config-server-tacacs)#address ipv4 10.X.X.15
Switch(config-server-tacacs)#key TACACSKEY
Switch(config-server-tacacs)#ex
Switch(config)#tacacs server TACACSSERVER2
Switch(config-server-tacacs)#address ipv4 10.X.X.15
Switch(config-server-tacacs)#key TACACSKEY
Switch(config-server-tacacs)#ex
Switch(config)#aaa authentication login default group tacacs+ local
Switch(config)#aaa authorization commands 15 default group tacacs+ if-authenticated
Switch(config)#aaa accounting exec default start-stop group tacacs+
Switch(config)#aaa accounting network default start-stop group tacacs+
Switch(config)#aaa accounting connection default start-stop group tacacs+
Switch(config)#aaa accounting system default start-stop group tacacs+

 

Would I be correct in saying that a safe way in which to remotely remove this configuration would be as followings... 

 

Switch(config)#no aaa authentication login default group tacacs+ local
Switch(config)#no aaa authorization commands 15 default group tacacs+ if-authenticated
Switch(config)#no aaa accounting exec default start-stop group tacacs+
Switch(config)#no aaa accounting network default start-stop group tacacs+
Switch(config)#no aaa accounting connection default start-stop group tacacs+
Switch(config)#no aaa accounting system default start-stop group tacacs+

Switch(config)#tacacs server TACACSSERVER1
Switch(config-server-tacacs)#no address ipv4 10.X.X.15
Switch(config-server-tacacs)#no key TACACSKEY
Switch(config)#no tacacs server TACACSSERVER1

Switch(config)#tacacs server TACACSSERVER2
Switch(config-server-tacacs)#no address ipv4 10.X.X.16
Switch(config-server-tacacs)#no key TACACSKEY
Switch(config)#no tacacs server TACACSSERVER2

 

Apologies, my lab environment does not include a TACACS server otherwise I would have played this out in my lab. 

 

Thank you in advance for anyone who takes the time to read this post. 

 

Labels:
0 Helpful
2 Replies 2

Mark Malone
VIP Alumni
VIP Alumni

‎03-27-2019 04:23 AM - edited ‎03-27-2019 04:24 AM

Hi

yes or below should do it too
no aaa-new model
no tacacs server xxxxxxnamexxxxx

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Malone

‎03-27-2019 10:37 AM

I agree with @Mark Malone that no aaa new-model is the quick (and comprehensive) way to eliminate most of your tacacs configuration. But leaving it that way might - or might not leave the device using local usernames and passwords for authentication ( would very much depend on how con0 and vty are configured (do they specify login local or something else). The easy way to assure that authentication on those devices would be that after you complete removing all traces of tacacs that you configure aaa new-model. In this mode the default is to authenticate using local username and password.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card