Getting around limitation in AAA AUTHENTICATION ENABLE DEFAULT

djmwalker — Sun, 10 Mar 2019 22:50:49 GMT

I'm having a little trouble configuring AAA to allow the two levels of authentication (User and Privilege) between two seperate groups (default and XAUTH). What I'd like to accomplish is this:

default (or defined group, doesn't matter):

- use line password for authentication to User level

- use enable secret for authentication to Privilege level

- password set @ console (line con 0)

XAUTH:

- use TACACS + then LOCAL user for authentication to User level

- user TACACS + then LOCAL user for authentication to Privilege level

- XAUTH authentication set to lines vty 0 15

Here's where I'm starting:

----------

aaa new-model

aaa authentication login default line

aaa authentication login XAUTH group tacacs+ local

line con 0

password 7 [hashed_psswd]

line vty 0 4

line vty 5 15

----------

The simplest approach would be if AAA allowed for different policies toward ENABLE during authentication, but it doesn't. I've considered using AUTHORIZATION to permit the XAUTH users to pass directly in Privilege level, but as it's TACACS it's looking to the ACS server, which I do not have administrative rights to. Tried this, but failed to bring the user in Privilege mode and required the ENABLE SECRET when using TACACS, although it did work when XAUTH was set to use LOCAL-CASE for authentication:

----------

aaa new-model

aaa authentication login default line

aaa authentication login XAUTH group tacacs+ local-case

aaa authorization exec XAUTH group tacacs+ local

aaa authorization commands 0 XAUTH group tacacs+ local

aaa authorization commands 1 XAUTH group tacacs+ local

aaa authorization commands 15 XAUTH group tacacs+ local

line con 0

password 7 [hashed_psswd]

line vty 0 4

authorization commands 0 XAUTH

authorization commands 1 XAUTH

authorization commands 15 XAUTH

authorization exec XAUTH

line vty 5 15

authorization commands 0 XAUTH

authorization commands 1 XAUTH

authorization commands 15 XAUTH

authorization exec XAUTH

----------

The end goal is to allow the console port to be free of the TACACS server for authentication all the way to Privilege mode without pushing the user access @ console mode directly into it (hence, why I'm not going with the AAA AUTHORIZATION CONSOLE & AUTHORIZATION EXEC solution).

Anyone come up with a clever way around this? Appreciate the input.

Dan

Re: Getting around limitation in AAA AUTHENTICATION ENABLE DEFAU

smahbub — Tue, 20 May 2008 12:52:58 GMT

Authentication verifies users before they are allowed access to the network and network services. Authentication, for the most part, is implemented through the AAA security services.Whenever possible, its good to have AAA be used to implement authentication.

Refer the following url for moe info about Configuring Login Authentication Using AAA:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schathen.html#wp1001032

topic Getting around limitation in AAA AUTHENTICATION ENABLE DEFAULT in Network Access Control

Getting around limitation in AAA AUTHENTICATION ENABLE DEFAULT

Re: Getting around limitation in AAA AUTHENTICATION ENABLE DEFAU