question about "no aaa new-model" while telnet/ssh session

enzo80 · ‎11-30-2021

i entered the command while labbing in EVE-NG

#no aaa new-model
Changing configuration back to no aaa new-model is not supported.
Continue?[confirm]

it removed all commands from switch anything that contains aaa even under the line vty, i thought it will not work and issuing the command didnt disconnect me from ssh session,my question is does this happen with real equipment too? or will i get kicked from ssh/telnet session

once i do no aaa new-model command

i tried it with and without if-authenticated, tacacs+ device ISE

balaji.bandi · ‎11-30-2021

Personally i do not believe - no aaa new-model ( delete the active session), but i am sure new session will not able to login, and it lockout, if you do not have fall back to login.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎12-01-2021

I am a bit surprised about this message "Changing configuration back to no aaa new-model is not supported." I agree that this would be a drastic change, and probably not advised. But "not supported" is unexpected.

Apparently you did it and it worked.

And you seem surprised that it impacted the vty lines " it removed all commands from switch anything that contains aaa even under the line vty," Why would you not expect this? aaa new-model is the global enabler for aaa processing. If you remove the global enabler why would you expect any aaa commands to not be impacted?

You ask "my question is does this happen with real equipment too?" I would certainly expect that it would happen with real equipment.

We do not know any details of your configuration, especially whether there were any commands for legacy processing (such as login local or a password configured on the vty) that would support connections without using aaa.

HTH

Rick