topic Moving to AAA from local authentication on 100s of devices on pr in Network Access Control

Moving to AAA from local authentication on 100s of devices on production network

golly_wog — Mon, 11 Mar 2019 01:16:01 GMT

I'm looking to migrate 100s of devices from local authentication to AAA. I have the code that I need to apply, but I can't think of a way how to automate this.

If I log onto a switch using the local username, I can then add the AAA config in global mode

aaa authentication login TACACS_LOCAL group TACACS_SERVERS local

aaa authorization console

aaa authorization config-commands

aaa authorization exec TACACS_LOCAL group TACACS_SERVERS local

aaa authorization commands 0 TACACS_LOCAL group TACACS_SERVERS local

aaa authorization commands 1 TACACS_LOCAL group TACACS_SERVERS local

aaa authorization commands 15 TACACS_LOCAL group TACACS_SERVERS local

aaa accounting exec TAC start-stop group TACACS_SERVERS

aaa accounting commands 0 TAC start-stop group TACACS_SERVERS

aaa accounting commands 1 TAC start-stop group TACACS_SERVERS

aaa accounting commands 15 TAC start-stop group TACACS_SERVERS

However, once I add the config for the line, authorization then kicks in (as I'm logged in as a local user) and denies any command entered, I then need to re-login to the switch using a AAA account and apply this code;

line vty 0 4

authorization commands 0 TACACS_LOCAL

authorization commands 1 TACACS_LOCAL

authorization commands 15 TACACS_LOCAL

authorization exec TACACS_LOCAL

accounting commands 0 TAC

accounting commands 1 TAC

accounting commands 15 TAC

accounting exec TAC

I wanted to know if anyone has come up with a way of apply the code in one hit? I would ideally like to automate this using Cisco works, however I can't think of any ways, apart from add this code to the start-up config and re-booting...

Many thanks

Moving to AAA from local authentication on 100s of devices on pr

Tarik Admani — Wed, 03 Aug 2011 23:55:44 GMT

Try adding the authorization command at the end of the script.

Moving to AAA from local authentication on 100s of devices on pr

alex.dersch — Thu, 04 Aug 2011 17:01:59 GMT

I recently deployed AAA by Cisco LMS 4.0 to a bunch of devices. I did a two step approach to make sure i dont get locked out.

i created two templates in the template center; one for authentication and accounting and one for the authorization. Start with authention and accounting in the first step. then the authorization.

Be aware that the configureation deployed with the template center has problems with saving the config to the startup config. I had to visit each device to save the config manually to the startup-config.

regards

alex

Moving to AAA from local authentication on 100s of devices on pr

golly_wog — Thu, 04 Aug 2011 17:46:12 GMT

Hi Alex

Thanks for the reply mate.

Can you elaborate on these templates (I'm not familar with LMS), did you login for the second template using a AAA username/password?

Hi Tarik

Thanks mate - I should have elaborated and said I know that is the issue 🙂

I can't apply ALL the code in one hit.

cheers

Moving to AAA from local authentication on 100s of devices on pr

alex.dersch — Thu, 04 Aug 2011 17:54:06 GMT

Hi Golly,

what version of LMS you're running?

Sure you can apply all code in one line, just make sure that the authorization part is at the end.

Deploying it in two step is just more easy.

Moving to AAA from local authentication on 100s of devices on pr

golly_wog — Thu, 04 Aug 2011 20:25:55 GMT

Hi Alex

I think it's v4 mate.

I thought that Cisco Works would login and then apply the code - just like a normal user would do.

So if you do it in two parts, with 1st authentication + accounting, 2nd authorization.

The 1st login is using the local account, then the 2nd login would surley need to login using an account that can be authentciated back to the ACS?

If the 2nd login used the local account then it would fail, as it would not be authenticated via ACS.

cheers

Re: Moving to AAA from local authentication on 100s of devices o

alex.dersch — Thu, 04 Aug 2011 20:43:05 GMT

No,

LMS usually uses TFTP to deploy configuration to devices. So the user shouldn't be an issue.

Go to Configuration -> Template Center -> Import

You can import a configuration from one of your devices by selcting one. When the config is fetched, you can remove the parts of the configuration you don't need and paste the aaa authentication into the window.

then click next,

there you can preselect the devices you want to consider for deployment. then click next.

if no configuration appears click next.

type the required information into the fields. click finish

I would recommend to create a template for removing the aaa configuration, but be aware that when you just type no aaa new-model the configuration is 100% removed, as soon you type again aaa new-model you have the old config merged with the new one. You have negotiate all your aaa commands followed by a no aaa new-model. (This costs me about 2 hours to figure out how to remove it.)

Next step is to deploy the config to a test device.

Go to Configuration -> Template Center -> deploy

Select your template then click next

Select your device -> click next

If you didn't configure any parameters click next

you can add some additionals configurations if you want, click next

Schedule your deployment then click finish

check for any problems during deployment, if everything worked fine you can log in to the device with your tacacs credentials.

if there are any problems with your template, export it and open it with an xml editor your choice and modify the template, import it and try again.

i've add a sample template

good luck

alex

Re: Moving to AAA from local authentication on 100s of devices o

golly_wog — Fri, 05 Aug 2011 21:59:11 GMT

Hi Mate

I got our moniroting guy to implement this today and it worked like a charm.

THANK YOU SO MUCH!!! 🙂