Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
20
Helpful
3
Replies

Removing AAA from a 9500 switch

Go to solution
chad.parish
Level 1
Level 1

‎08-06-2022 12:16 PM

I have a 9500 switch with just AAA new model configured, nothing else. 

I want to remove it so that I can then configure login local under the VTY lines.  Can this be done and does it require a reboot?  Or is it easier to just globally configure the below commands  (Note username and password are configured globally with privelge 15)

aaa authentication login default local
aaa authorization exec default local

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tim Glen
Cisco Employee
Cisco Employee
In response to chad.parish

‎08-06-2022 12:44 PM

Hey Chad,

> Would it kick me out before I could configure login local under the VTY lines?

No , you won't get booted off the switch. 

 

> no aaa new-model

It's been a while but I **believe** you will get an prompt stating that isn't supported. If you choose to go past that prompt 'unexpected results may occur'.   

Hope this helps.

 

View solution in original post

3 Replies 3

Go to solution
Tim Glen
Cisco Employee
Cisco Employee

‎08-06-2022 12:20 PM - edited ‎08-06-2022 12:21 PM

Instead of using default I prefer using method lists to tie things together. Here is a AAA config that will accomplish your goals.

 



!
aaa new-model
!
aaa authentication login CON-LOCAL local
aaa authorization exec CON-LOCAL local
aaa authorization console
!
!
line con 0
login authentication CON-LOCAL
authorization exec CON-LOCAL
!
line vty 0 15
login authentication CON-LOCAL
authorization exec CON-LOCAL
!
end
!

Go to solution
chad.parish
Level 1
Level 1

‎08-06-2022 12:35 PM - edited ‎08-06-2022 12:36 PM

I like that, thank you, however out of curiosity what happens if I just put in no aaa new-model, since the only AAA config present is aaa new-model.

Would it kick me out before I could configure login local under the VTY lines?  And can I even config login-local or is it just login after configuring no aaa new-model?

0 Helpful

Go to solution
Tim Glen
Cisco Employee
Cisco Employee
In response to chad.parish

‎08-06-2022 12:44 PM

Hey Chad,

> Would it kick me out before I could configure login local under the VTY lines?

No , you won't get booted off the switch. 

 

> no aaa new-model

It's been a while but I **believe** you will get an prompt stating that isn't supported. If you choose to go past that prompt 'unexpected results may occur'.   

Hope this helps.

 

Customers Also Viewed These Support Documents