Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3865
Views
0
Helpful
3
Replies

removing tacacs from a remote CatOS switch

rkazala
Level 1
Level 1

‎03-02-2006 01:42 PM - edited ‎03-03-2019 11:56 AM

Hi there,

I'm attempting to strip tac from a remote 2848G switch. I removed some config from another switch and effectively locked myself out. I'm assuming there's an order of removing the config that has to be followed. Here's what I have:

set tacacs server xxxx primary

set tacacs key xxxx

set authentication login tacacs enable telnet primary

set authentication enable tacacs enable telnet primary

set accounting exec enable start-stop tacacs+

set accounting connect enable start-stop tacacs+

set accounting system enable start-stop tacacs+

set accounting commands enable all stop-only tacacs+

set authorization exec enable tacacs+ if-authenticated telnet

set authorization commands enable all tacacs+ if-authenticated telnet

So what sets would I disable to remove tac authentication without locking myself out of the switch?

Thanks.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎03-03-2006 07:50 AM

Richard

I have not faced this particular situation so I can not address your question from experience. But I believe the logic indicates that you should first remove the line:

set authorization commands enable all tacacs+ if-authenticated telnet

since it is authorizing all of your commands. I would suggest using the command:

set authorization commands disable

to turn it off. I would probably then use the command:

set authorization exec disable

to turn off authorization for exec creation. I would then probably use the

set accounting disable

to turn off the accounting that you are doing.

I would probably use set authentication enable tacacs disable and set authentication login tacacs disable to turn off authentication.

You could then use clear tacacs key and clear tacacs server commands to remove the server.

I believe this order of commands ought to be safe.

HTH

Rick

HTH

Rick
0 Helpful

rkazala
Level 1
Level 1
In response to Richard Burts

‎03-08-2006 01:07 PM

Thanks! This was perfect!

0 Helpful

Pavel Bykov
Level 5
Level 5

‎03-04-2006 02:09 AM

When i need to do something like that, i configure router using "configure network" command, when commands are downloaded from tftp and then executed. I imaging CATOS will have something like that, since there is "Configure network" command in CATOS.

Also don't forget that VTY will not let you in without configured passwords. You should have all passwords configured before removing tacacs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card