[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5213
  • Last Modified:

Remove TACACS from Cisco 3560 switch

I have a few switches that are/have been hooked up to a consulting firms TACACS server. I would like to know which lines I need to remove and how I would change them so they no longer look for the TACACS authentication.

Some of them can't get to the TACACS server anyway and it takes longer to log in since it is looking for it.

I'm a novice with CIsco so please be as detailed as you like. :-)

Thank you!
switch#show running-config
Building configuration...
Current configuration : 5613 bytes
!
! Last configuration change at 14:39:55 cst Tue Feb 10 2009 by 
! NVRAM config last updated at 14:34:22 cst Tue Feb 10 2009 by 
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 
!
enable secret 5
enable password 7
!
username X privilege 15 secret 5 
username X privilege 15 secret 5 
username X privilege 15 secret 5 
username X privilege 15 secret 5 
aaa new-model
aaa authentication login default enable
aaa authentication login vty-in group tacacs+ local
aaa authentication enable default group tacacs+ enable
!
aaa session-id common
clock timezone cst -6
clock summer-time CDT recurring
system mtu routing 1500
ip subnet-zero
ip domain-name 
!
!
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
 certificate self-signed 
  quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1&
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Vlan101
 description inside
 ip address nnn.nnn.nnn.nnn nnn.nnn.nnn.nnn
 no ip route-cache
 no ip mroute-cache
!
ip default-gateway nnn.nnn.nnn.nnn
ip classless
ip http server
ip http authentication local
ip http secure-server
!
Logging nnn.nnn.nnn.nnn
access-list 4 permit nnn.nnn.nnn.nnn
access-list 4 deny   any log
snmp-server community X RO 4
snmp-server community X RW 4
snmp-server community X RO
snmp-server location 
snmp-server contact 
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
tacacs-server host nnn.nnn.nnn.nnn timeout 5
tacacs-server directed-request
tacacs-server key 7 
radius-server source-ports 
!
control-plane
!
!
line con 0
line vty 0 4
 exec-timeout 20 0
 password 7 
 login authentication vty-in
 length 0
line vty 5 15
 exec-timeout 20 0
 password 7 
 login authentication vty-in
!
ntp clock-period 36028994
ntp server nnn.nnn.nnn.nnn key 0 prefer
end
 
switch#

Open in new window

0
SteeleCo
Asked:
SteeleCo
  • 4
  • 3
1 Solution
 
QuoriCommented:
Do the following

no aaa new-model
no aaa authentication login default enable
no aaa authentication login vty-in group tacacs+ local
no aaa authentication enable default group tacacs+ enable
!
line vty 0 4
 exec-timeout 20 0
 password 7
 no login authentication vty-in
 login local
 length 0
line vty 5 15
 exec-timeout 20 0
 password 7
 no login authentication vty-in
 login local
!

If you want to be cautious, before you start making changes, issue "reload in 15" after "enable" which will cause the router to reload in 15 minutes, thus reverting back to the startup-config if everything goes pear-shapped. If all goes well, just "reload cancel" in privileged exec mode to stop it.
0
 
SteeleCoAuthor Commented:
Great! Thanks for the quick reply.

I also removed the TACACS entries. Here is what I have for a code now. I am able to get back in (a lot quicker now) and everything appears to be working.

Anything in the code below that looks wrong?

Again, thanks for the quick response!


 
Switch#show running-config
Building configuration...
Current configuration : 5262 bytes
!
! Last configuration change at 16:12:17 cst Tue Feb 17 2009 by 
! NVRAM config last updated at 16:04:46 cst Tue Feb 17 2009 by 
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname switch
!
enable secret 5
enable password 7 
!
username N privilege 15 secret 5 
username N privilege 15 secret 5 
username N privilege 15 secret 5 
username N privilege 15 secret 5 
no aaa new-model
clock timezone cst -6
clock summer-time CDT recurring
system mtu routing 1500
ip subnet-zero
ip domain-name 
!
!
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
 certificate self-signed 
  quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface Vlan1
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface Vlan101
 description inside
 ip address nnn.nnn.nnn.nnn nnn.nnn.nnn.nnn
 no ip route-cache
 no ip mroute-cache
!
ip default-gateway nnn.nnn.nnn.nnn
ip classless
ip http server
ip http authentication local
ip http secure-server
!
logging nnn.nnn.nnn.nnn
access-list 4 permit nnn.nnn.nnn.nnn
access-list 4 deny   any log
snmp-server community RO 4
snmp-server community RW 4
snmp-server community RO
snmp-server location 
snmp-server contact 
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
!
control-plane
!
!
line con 0
line vty 0 4
 exec-timeout 20 0
 password 7 
 login local
 length 0
line vty 5 15
 exec-timeout 20 0
 password 7 
 login local
!
ntp clock-period 36029243
ntp server nnn.nnn.nnn.nnn key 0 prefer
end
 
Switch#

Open in new window

0
 
QuoriCommented:
Looks fine. I usually put some sort of login on the console line, but thats subjective.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
SteeleCoAuthor Commented:
Great Job! Thanks.
0
 
SteeleCoAuthor Commented:
Thanks for your help.

I'm going to show how green I am but you never know unless you ask.

What do you mean by "put some sort of login on the console line"?

Thanks again.
0
 
QuoriCommented:
line con 0
  login local
!

Adds login to console connections like your telnet connections.
0
 
SteeleCoAuthor Commented:
Gotcha! Thanks again.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now