03-02-2006 01:42 PM - edited 03-03-2019 11:56 AM
Hi there,
I'm attempting to strip tac from a remote 2848G switch. I removed some config from another switch and effectively locked myself out. I'm assuming there's an order of removing the config that has to be followed. Here's what I have:
set tacacs server xxxx primary
set tacacs key xxxx
set authentication login tacacs enable telnet primary
set authentication enable tacacs enable telnet primary
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting system enable start-stop tacacs+
set accounting commands enable all stop-only tacacs+
set authorization exec enable tacacs+ if-authenticated telnet
set authorization commands enable all tacacs+ if-authenticated telnet
So what sets would I disable to remove tac authentication without locking myself out of the switch?
Thanks.
03-03-2006 07:50 AM
Richard
I have not faced this particular situation so I can not address your question from experience. But I believe the logic indicates that you should first remove the line:
set authorization commands enable all tacacs+ if-authenticated telnet
since it is authorizing all of your commands. I would suggest using the command:
set authorization commands disable
to turn it off. I would probably then use the command:
set authorization exec disable
to turn off authorization for exec creation. I would then probably use the
set accounting
to turn off the accounting that you are doing.
I would probably use set authentication enable tacacs disable and set authentication login tacacs disable to turn off authentication.
You could then use clear tacacs key and clear tacacs server commands to remove the server.
I believe this order of commands ought to be safe.
HTH
Rick
03-08-2006 01:07 PM
Thanks! This was perfect!
03-04-2006 02:09 AM
When i need to do something like that, i configure router using "configure network" command, when commands are downloaded from tftp and then executed. I imaging CATOS will have something like that, since there is "Configure network" command in CATOS.
Also don't forget that VTY will not let you in without configured passwords. You should have all passwords configured before removing tacacs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide