Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

removing tacacs from a remote CatOS switch

Hi there,

I'm attempting to strip tac from a remote 2848G switch. I removed some config from another switch and effectively locked myself out. I'm assuming there's an order of removing the config that has to be followed. Here's what I have:

set tacacs server xxxx primary

set tacacs key xxxx

set authentication login tacacs enable telnet primary

set authentication enable tacacs enable telnet primary

set accounting exec enable start-stop tacacs+

set accounting connect enable start-stop tacacs+

set accounting system enable start-stop tacacs+

set accounting commands enable all stop-only tacacs+

set authorization exec enable tacacs+ if-authenticated telnet

set authorization commands enable all tacacs+ if-authenticated telnet

So what sets would I disable to remove tac authentication without locking myself out of the switch?

Thanks.

3 REPLIES
Hall of Fame Super Silver

Re: removing tacacs from a remote CatOS switch

Richard

I have not faced this particular situation so I can not address your question from experience. But I believe the logic indicates that you should first remove the line:

set authorization commands enable all tacacs+ if-authenticated telnet

since it is authorizing all of your commands. I would suggest using the command:

set authorization commands disable

to turn it off. I would probably then use the command:

set authorization exec disable

to turn off authorization for exec creation. I would then probably use the

set accounting disable

to turn off the accounting that you are doing.

I would probably use set authentication enable tacacs disable and set authentication login tacacs disable to turn off authentication.

You could then use clear tacacs key and clear tacacs server commands to remove the server.

I believe this order of commands ought to be safe.

HTH

Rick

New Member

Re: removing tacacs from a remote CatOS switch

Thanks! This was perfect!

Silver

Re: removing tacacs from a remote CatOS switch

When i need to do something like that, i configure router using "configure network" command, when commands are downloaded from tftp and then executed. I imaging CATOS will have something like that, since there is "Configure network" command in CATOS.

Also don't forget that VTY will not let you in without configured passwords. You should have all passwords configured before removing tacacs.

2454
Views
0
Helpful
3
Replies