How can I remove AAA commands from an HP Procurve 3448cl switch?

If you find that you cannot get in to make further changes then use a factory reset and start again. Hopefully you will have a backup of the config.

If you delete commands you need to commit to memory and possibly restart in your situation.

"exit" - config mode

"wr mem"

Let me know if this works
regards, Mark

I do have backups of my configs, but this switch is a production switch so I would like to fix this the right way.  I'm aware of password recovery techniques and resets.  What I really need is a way to remove the aaa commands.

Hi,

what I'm suggesting is that your not exiting and saving to memory, so the switch is still running with the old commands.

You may not have to do a reset, just save the changes to the running config.

I recommend you enter the cli and then save the config, remove the access commands and then save the config again. Save to memory and to file.

Also, try to remove the commands and set the telnet and ssh password. What I mean is that your trying to set the authentication, so set it back to a static password.

Do you have any other lines of code causing issues. Look at your original config and see if you need to remove other lines of code to move back to a default state for ssh and telnet.

Also try to reset one of these - either telnet or ssh to the default by turning access off to it. This I would do as a last resort. If you have access with telnet, then try turning ssh off, save to memory, then reload. Then set ssh on with a local static password, save to memory and reload. Keep working on one whilst maintaining access on the other.

regards, Mark

I'll try disabling access via telnet or ssh.  I cannot reload the switch easily, all of our telephony gear is connected to it (CLANs, PBX, Message server, etc..)

Hello,

I think since you ran the commands: aaa authentication telnet login tacacs local   instead of aaa authentication telnet enable tacacs local, you are probably not in admin/manager mode and only in operator mode, which explains why you are unable to remove said commands.

Try going to the console then doing the "no aaa authen...." commands.

good luck,
-RK

@RKinsp - I can only work in the console.  Everything I've tried as been via the console.  

@uanmi - I tried disabling ssh and telnet to see if it would then allow the "no" command to be used against the aaa configuration, and it does not.  Any other ideas?  There has to be a way to remove these commands other than resetting the switch....

can you please post the config lines here for all the aaa if they do not contain passwords.

aaa authentication telnet login tacacs local
aaa authentication ssh login tacacs local

I also think you may not be in administrator mode and therefore unable to remove commands. Do you have complete control of the switch with your login to the switch?

Are you entering the config mode using enable?

remember to only operate on ssh or telnet at one time, not both or you may not be able to login and this would be a problem that would require the switch to be reset.

Try entering the edit config mode and enter

aaa authentication telnet enable tacacs local

look at the config and then enter

no aaa authentication telnet enable tacacs local

see if there is a change to your config now.

when you make changes to the switch do you do

exit
wr mem

Describe the steps your taking.

regards, Mark

Here is a text capture of what I am doing if it will help. Also, there is a show run attached in txt format.

NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication telnet enable radius local
Invalid input: telnet
NFLGNVSWV04(config)#
NFLGNVSWV04(config)# .
NFLGNVSWV04(config)# aa authentication telnet enable tacacs local
NFLGNVSWV04(config)# no aaa authentication teln
Invalid input: teln
NFLGNVSWV04(config)# exit                      
NFLGNVSWV04#
NFLGNVSWV04# wr mem
NFLGNVSWV04#
NFLGNVSWV04# conf t
NFLGNVSWV04(config)# no aaa authentication tel
Invalid input: tel
NFLGNVSWV04(config)# no aaa authentication    
 login                 Specify that switch respects the authentication server's
                       privilege level.
show.run.txt

Hi

on this line you have aa and it should be aaa

aa authentication telnet enable tacacs local

should be

aaa authentication telnet enable tacacs local

then

no aaa authentication telnet enable tacacs local

should work

can you show me the config for all aaa lines in the running config please

regards
mark

That was simply a typo... it also auto completes and has nothing to do with the issue.  The config was uploaded yesterday in my previous post.  I'll reiterate my previous point:  Placing a "no" in front of the aaa commands has 0 effect.  This is not my first rodeo.

Does anybody else out there have any suggestions?

Hi, I have looked at the manual again. I have looked at your config and noticed a mistake immediately.

The issue you have is that your commands are mixed
aaa authentication telnet login tacacs local
aaa authentication telnet enable radius local

The first command is for tacacs and the second for radius
try
aaa authentication telnet enable tacacs local
no aaa authentication telnet enable tacacs local
no aaa authentication telnet login tacacs local

after the first command you could check to see if the command
aaa authentication telnet enable tacacs local
is in the config correctly.

The lines for ssh are not mixed

aaa authentication ssh login tacacs local

aaa authentication ssh enable tacacs local

so you should be able to remove both by doing:
no aaa authentication ssh enable tacacs local
no aaa authentication ssh login tacacs local



 and the order of commands listed is as follows:
Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication Telnet login tacacs local
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server.
Secondary using Local.
ProCurve (config)# aaa authentication telnet enable tacacs local
Deny Access and Close the Session After Failure of Two Consecutive Username/Password Pairs:
ProCurve (config)# aaa authentication num-attempts 2

To remove these commands, I would suggest doing this in reverse order with no in front

Sorry, I guess I'm not making myself clear... PLACING A NO IN FRONT  OF THE AAA COMMANDS DOES NOT WORK.  PLEASE SEE THE OUTPUT BELOW.  

Anybody else?

3400# conf t
3400(config)# no aaa authentication ssh login tacacs local
Invalid input: ssh
3400(config)# no aaa authentication ssh enable tacacs local
Invalid input: ssh
3400(config)# aaa authentication telnet enable tacacs local
3400(config)# no aaa authentication telnet enable tacacs local
Invalid input: telnet
3400(config)# no aaa authentication telnet login tacacs local
Invalid input: telnet
3400(config)#
3400(config)#

also, the manual includes a line like this - possibly this will clear up the issue
no aaa authentication login local local

regards, Mark

Thanks, I was just trying to get accross to you that putting a "no" in front of any of the aaa commands does not work.  I had mentioned it several times before.  Your last solution put me on track and got me close though.  

aaa authentication telnet enable tacacs none
aaa authentication telnet enable ssh none

This sets the aaa enable commands back to default.  Thanks for your help.

and it would follow that the other one may be

no aaa authentication enable local local

possibly leave the last local off the end.

regards, Mark

lol, you cannot put a no in front of the aaa commands.  No matter what you try.  I don't know how I can make that any clearer.

hi, ok, I'm pleased that I helped, though it took a while.
regards, Mark