Wired Intelligent Edge

 View Only
Expand all | Collapse all

Remove All AAA Config From a Port

This thread has been viewed 132 times
Sfaizanahmed91

Sfaizanahmed91Jan 05, 2020 06:46 AM

  • 1.  Remove All AAA Config From a Port

    Posted Oct 28, 2019 10:23 AM

    Dear all,

     

    whats the best practice to remove all AAA config from a profile.

    the NO command for the authenticon ( mac/authenticator works) pure functional works but i can remove the following settings 

    • aaa port-access authenticator tx-period 10
      aaa port-access authenticator supplicant-timeout 10
      aaa port-access authenticator client-limit 10
      aaa port-access mac-based addr-limit 10

    Thanks

     

     

     

     


    #2930F


  • 2.  RE: Remove All AAA Config From a Port
    Best Answer

    Posted Nov 06, 2019 12:06 PM

    For some of the commands on ArubaOS switches, you will need to configure them to the default value in order to disappear. The configuration will show only values that have changed from the default. Example for your case:

    sw01(config)# aaa port-access authenticator 5 tx-period 10
    sw01(config)# aaa port-access authenticator 5 supplicant-timeout 10
    sw01(config)# aaa port-access authenticator 5 client-limit 10
    sw01(config)# aaa port-access mac-based 5 addr-limit 10
    sw01(config)# show running-config interface 5
    
    Running configuration:
    
    interface 5
       untagged vlan 6
       aaa port-access authenticator tx-period 10
       aaa port-access authenticator supplicant-timeout 10
       aaa port-access authenticator client-limit 10
       aaa port-access mac-based addr-limit 10
       exit
    
    sw01(config)# aaa port-access authenticator 5 tx-period 30
    sw01(config)# aaa port-access authenticator 5 supplicant-timeout 30
    sw01(config)# no aaa port-access authenticator 5 client-limit
    sw01(config)# aaa port-access mac-based 5 addr-limit 1
    sw01(config)# show running-config interface 5
    
    Running configuration:
    
    interface 5
       untagged vlan 6
       exit

    You can look up the default in the Security Access Guide from the ArubaOS switch configuration.



  • 3.  RE: Remove All AAA Config From a Port

    Posted Nov 08, 2019 11:27 AM

    We partially scripted it and just use this as a template:

     

    no aaa port-access xxx mixed
    no aaa port-access mac-based xxx
    no aaa port-access authenticator xxx client-limit
    no aaa port-access authenticator xxx
    no port-security xxx
    no spanning-tree xxx root-guard bpdu-protection
    int xxx
    name "xxx"
    untagged vlan xx
    ip source-lockdown
    disable
    enable
    exit

     

    TBB



  • 4.  RE: Remove All AAA Config From a Port

    Posted Oct 12, 2021 07:59 AM
    Edited by G_lepers Oct 12, 2021 08:01 AM
    Hi,

    How can I remove this command : aaa port-access 5 controlled-direction in ?

    ------------------------------
    Glepers
    ------------------------------



  • 5.  RE: Remove All AAA Config From a Port

    Posted Oct 12, 2021 11:21 AM

    Hello,

    Since the default setting for controlled-direction is "both", you can remove this line from the running config by setting it to both. However you should keep in mind that this setting can only be changed if the port still has authentication enabled on it. If the authentication was already removed the change will fail with the error "Port is not configured with any Authentication."

    Here an example

     

    Aruba-Stack-3810M(config)# aaa port-access mac-based 1/1

    Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction in

    Aruba-Stack-3810M(config)# show run int 1/1

     

    Running configuration:

     

    interface 1/1

       untagged vlan 1

       aaa port-access mac-based

       aaa port-access controlled-direction in

       exit

     

    Aruba-Stack-3810M(config)#

    Aruba-Stack-3810M(config)# no aaa port-access mac-based 1/1

    Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction both

    Port 1/1 is not configured with any Authentication.

     

    You should first set the controlled direction to both and after that remove authentication from the port.  Here I am re-enabling mac-based authentication on the port

    Aruba-Stack-3810M(config)# aaa port-access mac-based 1/1

    And then I am able to set the controlled direction to the default setting of both and remove authentication.

    Aruba-Stack-3810M(config)# aaa port-access 1/1 controlled-direction both

    Aruba-Stack-3810M(config)# no aaa port-ac mac-based 1/1

    Now the command is accepted and the port has the default configuration.

    Aruba-Stack-3810M(config)# show run int 1/1

     

    Running configuration:

     

    interface 1/1

       untagged vlan 1

       exit



    ------------------------------
    Emil Gogushev
    ------------------------------



  • 6.  RE: Remove All AAA Config From a Port

    Posted Oct 12, 2021 11:37 AM
    Hi Emil_G,

    Thanks, it's works.

    ------------------------------
    Glepers
    ------------------------------



  • 7.  RE: Remove All AAA Config From a Port

    Posted Mar 16, 2022 02:32 AM
    Tried to remote the following parameter without any success. 

    aaa port-access authenticator quiet-period 0
    aaa port-access authenticator logoff-period 862400
    aaa port-access mac-based logoff-period 862400
    aaa port-access mac-based quiet-period 30

    The NO aaa port-acces authenticator quiet-period/logoff-period interfacenumber doesnt work.
    Also tried to disable it on the config mode of the interface

    Any ideas?


  • 8.  RE: Remove All AAA Config From a Port

    Posted Mar 16, 2022 02:49 AM
    Hallo, 

    Please set the quiet-period to 60 and logoff-period to 300 for both authenticator and mac-based. This are the default values and once they are set the lines should disappear from the config.

    ------------------------------
    Emil Gogushev
    ------------------------------



  • 9.  RE: Remove All AAA Config From a Port

    Posted Mar 16, 2022 04:15 AM
    That is it. Thanks a lot.


  • 10.  RE: Remove All AAA Config From a Port

    Posted Mar 16, 2022 03:05 AM
    Hallo, 

    Maybe I should give you a more detailed instruction. This commands are not global but applied to an interface. You probably see them under an interface. The command to set the default values assuming we have non default values for mac-based on port 5.

    Aruba-2930F-8G-PoEP-2SFPP(config)# show run int 5

    Running configuration:


    interface 5
    untagged vlan 1
    aaa port-access mac-based logoff-period 8624000
    aaa port-access mac-based quiet-period 30
    exit

    Aruba-2930F-8G-PoEP-2SFPP(config)#

    Aruba-2930F-8G-PoEP-2SFPP(config)# aaa port-access mac-based 5 logoff-period 300

    Aruba-2930F-8G-PoEP-2SFPP(config)# aaa port-access mac-based 5 quiet-period 60
    Aruba-2930F-8G-PoEP-2SFPP(config)# show run int 5

    Running configuration:

    interface 5
    untagged vlan 1
    exit

    Aruba-2930F-8G-PoEP-2SFPP(config)#


    ------------------------------
    Emil Gogushev
    ------------------------------



  • 11.  RE: Remove All AAA Config From a Port

    Posted Apr 17, 2023 11:56 AM

    herman,

    can AAA config at port level




  • 12.  RE: Remove All AAA Config From a Port

    Posted Jan 05, 2020 06:46 AM


  • 13.  RE: Remove All AAA Config From a Port

    Posted Dec 12, 2022 11:39 AM
    thank you for all your info. 

    i have a question in aruba switch can this config to config in range?  try to combine all this AAA into port range not every port.  help

    aaa server-group radius "ClearPass" host 10.4.1.100
    aaa server-group radius "ClearPass" host 10.19.2.100
    aaa accounting update periodic 10
    aaa accounting commands stop-only tacacs
    aaa accounting exec start-stop tacacs
    aaa accounting network start-stop radius server-group "ClearPass"
    aaa accounting system stop-only tacacs
    aaa authorization commands tacacs
    aaa authorization user-role enable download
    aaa authentication login privilege-mode
    aaa authentication console login tacacs
    aaa authentication console enable tacacs
    aaa authentication telnet login tacacs
    aaa authentication telnet enable tacacs
    aaa authentication web login radius local
    aaa authentication web enable radius local
    aaa authentication ssh login tacacs
    aaa authentication ssh enable tacacs
    aaa authentication port-access eap-radius server-group "ClearPass"
    aaa authentication mac-based chap-radius server-group "ClearPass"

    aaa port-access authenticator 1 tx-period 10
    aaa port-access authenticator 1 supplicant-timeout 10
    aaa port-access authenticator 2 tx-period 10
    aaa port-access authenticator 2 supplicant-timeout 10
    aaa port-access authenticator 3 tx-period 10
    aaa port-access authenticator 3 supplicant-timeout 10
    aaa port-access authenticator 4 tx-period 10
    aaa port-access authenticator 4 supplicant-timeout 10
    aaa port-access authenticator 5 tx-period 10
    aaa port-access authenticator 5 supplicant-timeout 10
    aaa port-access authenticator 6 tx-period 10
    aaa port-access authenticator 6 supplicant-timeout 10
    aaa port-access authenticator 7 tx-period 10
    aaa port-access authenticator 7 supplicant-timeout 10
    aaa port-access authenticator 8 tx-period 10
    aaa port-access authenticator 8 supplicant-timeout 10
    aaa port-access authenticator 9 tx-period 10
    aaa port-access authenticator 9 supplicant-timeout 10
    aaa port-access authenticator 10 tx-period 10
    aaa port-access authenticator 10 supplicant-timeout 10
    aaa port-access authenticator 11 tx-period 10
    aaa port-access authenticator 11 supplicant-timeout 10
    aaa port-access authenticator 12 tx-period 10
    aaa port-access authenticator 12 supplicant-timeout 10
    aaa port-access authenticator 13 tx-period 10
    aaa port-access authenticator 13 supplicant-timeout 10
    aaa port-access authenticator 14 tx-period 10
    aaa port-access authenticator 14 supplicant-timeout 10
    aaa port-access authenticator 15 tx-period 10
    aaa port-access authenticator 15 supplicant-timeout 10
    aaa port-access authenticator 16 tx-period 10
    aaa port-access authenticator 16 supplicant-timeout 10
    aaa port-access authenticator 17 tx-period 10
    aaa port-access authenticator 17 supplicant-timeout 10
    aaa port-access authenticator 18 tx-period 10
    aaa port-access authenticator 18 supplicant-timeout 10
    aaa port-access authenticator 19 tx-period 10
    aaa port-access authenticator 19 supplicant-timeout 10
    aaa port-access authenticator 20 tx-period 10
    aaa port-access authenticator 20 supplicant-timeout 10
    aaa port-access authenticator 21 tx-period 10
    aaa port-access authenticator 21 supplicant-timeout 10
    aaa port-access authenticator 22 tx-period 10
    aaa port-access authenticator 22 supplicant-timeout 10
    aaa port-access authenticator 23 tx-period 10
    aaa port-access authenticator 23 supplicant-timeout 10
    aaa port-access authenticator 24 tx-period 10
    aaa port-access authenticator 24 supplicant-timeout 10
    aaa port-access authenticator 25 tx-period 10
    aaa port-access authenticator 25 supplicant-timeout 10
    aaa port-access authenticator 26 tx-period 10
    aaa port-access authenticator 26 supplicant-timeout 10
    aaa port-access authenticator 28 tx-period 10
    aaa port-access authenticator 28 supplicant-timeout 10
    aaa port-access authenticator 30 tx-period 10
    aaa port-access authenticator 30 supplicant-timeout 10
    aaa port-access authenticator 31 tx-period 10
    aaa port-access authenticator 31 supplicant-timeout 10
    aaa port-access authenticator 32 tx-period 10
    aaa port-access authenticator 32 supplicant-timeout 10
    aaa port-access authenticator 33 tx-period 10
    aaa port-access authenticator 33 supplicant-timeout 10
    aaa port-access authenticator 34 tx-period 10
    aaa port-access authenticator 34 supplicant-timeout 10
    aaa port-access authenticator 35 tx-period 10
    aaa port-access authenticator 35 supplicant-timeout 10
    aaa port-access authenticator 36 tx-period 10
    aaa port-access authenticator 36 supplicant-timeout 10
    aaa port-access authenticator 37 tx-period 10
    aaa port-access authenticator 37 supplicant-timeout 10
    aaa port-access authenticator 38 tx-period 10
    aaa port-access authenticator 38 supplicant-timeout 10
    aaa port-access authenticator 39 tx-period 10
    aaa port-access authenticator 39 supplicant-timeout 10
    aaa port-access authenticator 40 tx-period 10
    aaa port-access authenticator 40 supplicant-timeout 10
    aaa port-access authenticator 41 tx-period 10
    aaa port-access authenticator 41 supplicant-timeout 10
    aaa port-access authenticator 42 tx-period 10
    aaa port-access authenticator 42 supplicant-timeout 10
    aaa port-access authenticator 43 tx-period 10
    aaa port-access authenticator 43 supplicant-timeout 10
    aaa port-access authenticator 44 tx-period 10
    aaa port-access authenticator 44 supplicant-timeout 10
    aaa port-access authenticator active
    aaa port-access mac-based 1-26,28,30-44
    aaa port-access mac-based 1 addr-limit 2
    aaa port-access mac-based 2 addr-limit 2
    aaa port-access mac-based 3 addr-limit 2
    aaa port-access mac-based 4 addr-limit 2
    aaa port-access mac-based 5 addr-limit 2
    aaa port-access mac-based 6 addr-limit 2
    aaa port-access mac-based 7 addr-limit 2
    aaa port-access mac-based 8 addr-limit 2
    aaa port-access mac-based 9 addr-limit 2
    aaa port-access mac-based 10 addr-limit 2
    aaa port-access mac-based 11 addr-limit 2
    aaa port-access mac-based 12 addr-limit 2
    aaa port-access mac-based 13 addr-limit 2
    aaa port-access mac-based 14 addr-limit 2
    aaa port-access mac-based 15 addr-limit 2
    aaa port-access mac-based 16 addr-limit 2
    aaa port-access mac-based 17 addr-limit 2
    aaa port-access mac-based 18 addr-limit 2
    aaa port-access mac-based 19 addr-limit 2
    aaa port-access mac-based 20 addr-limit 2
    aaa port-access mac-based 21 addr-limit 2
    aaa port-access mac-based 22 addr-limit 2
    aaa port-access mac-based 23 addr-limit 2
    aaa port-access mac-based 24 addr-limit 2
    aaa port-access mac-based 25 addr-limit 2
    aaa port-access mac-based 26 addr-limit 2
    aaa port-access mac-based 28 addr-limit 2
    aaa port-access mac-based 30 addr-limit 2
    aaa port-access mac-based 31 addr-limit 2
    aaa port-access mac-based 32 addr-limit 2
    aaa port-access mac-based 33 addr-limit 2
    aaa port-access mac-based 34 addr-limit 2
    aaa port-access mac-based 35 addr-limit 2
    aaa port-access mac-based 36 addr-limit 2
    aaa port-access mac-based 37 addr-limit 2
    aaa port-access mac-based 38 addr-limit 2
    aaa port-access mac-based 39 addr-limit 2
    aaa port-access mac-based 40 addr-limit 2
    aaa port-access mac-based 41 addr-limit 2
    aaa port-access mac-based 42 addr-limit 2
    aaa port-access mac-based 43 addr-limit 2
    aaa port-access mac-based 44 addr-limit 2


  • 14.  RE: Remove All AAA Config From a Port

    Posted Dec 12, 2022 12:05 PM
    Hello, 

    In the CLI you can enter the commands with a port-range and not for every single port.

    aaa port-access authenticator 1-44 tx-period 10
    aaa port-access authenticator 1-44 supplicant-timeout 10
    aaa port-access mac-based 1-44 addr-limit 2

    However in the configuration file you will see a separate config line for every port.


  • 15.  RE: Remove All AAA Config From a Port

    Posted Dec 13, 2022 01:34 AM
    You can do it for individual ports in config context - 

    Aruba-Stack-3810M(config)# aaa port-access authenticator 1/1 tx-period 30

    It will be shown as below in the configuration file - 

    aaa port-access authenticator 2/1-2/2,2/21
    aaa port-access authenticator 1/13 client-limit 2
    aaa port-access authenticator 2/1 tx-period 1
    aaa port-access authenticator 2/1 client-limit 5
    aaa port-access authenticator 2/2 tx-period 2
    aaa port-access authenticator 2/2 client-limit 5
    aaa port-access authenticator 2/15 reauth-period 3600
    aaa port-access authenticator 2/15 client-limit 2
    aaa port-access authenticator 2/15 cached-reauth-period 86400
    aaa port-access authenticator 2/21 client-limit 5
    aaa port-access authenticator active
    aaa port-access mac-based 2/1,2/11
    aaa port-access mac-based 1/13 addr-limit 2
    aaa port-access mac-based 2/1 addr-limit 5
    aaa port-access mac-based 2/1 unauth-vid 1
    aaa port-access mac-based 2/2 addr-limit 2
    aaa port-access mac-based 2/11 unauth-vid 1
    aaa port-access mac-based 2/15 addr-limit 2


    ------------------------------
    Shobana
    Aruba
    ------------------------------