https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765284#M420241 <P>Hi Everyone,</P><P></P><P>I have the below working config for TACACS+ authentication and accounting for IOS based devices. Would anybody be able to give me a CATOS version for the config?</P><P></P><P>Many thanks,</P><P></P><P>Dan</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 0 default start-stop group tacacs+</P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>enable password cisco</P><P>!</P><P>username Manager password 0 cisco</P><P></P><P>tacacs-server host 10.1.1.1</P><P>tacacs-server key cisco</P> Sun, 10 Mar 2019 22:14:12 GMT daniel.bowen 2019-03-10T22:14:12Z https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765284#M420241 <P>Hi Everyone,</P><P></P><P>I have the below working config for TACACS+ authentication and accounting for IOS based devices. Would anybody be able to give me a CATOS version for the config?</P><P></P><P>Many thanks,</P><P></P><P>Dan</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 0 default start-stop group tacacs+</P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>enable password cisco</P><P>!</P><P>username Manager password 0 cisco</P><P></P><P>tacacs-server host 10.1.1.1</P><P>tacacs-server key cisco</P> Sun, 10 Mar 2019 22:14:12 GMT https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765284#M420241 daniel.bowen 2019-03-10T22:14:12Z https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765285#M420242 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>First make sure that your CatOS version supports fallback, because few earlier versions were not able to do so,</P><P></P><P>Anyhow, here you go,</P><P></P><P>/----------------------------------/</P><P>!--- Define localuser to prevent ourself from being lockedout</P><P>!--- For backdoor purpose</P><P>set localuser user <USERNAME> password <PASSWORD> privilege 15</PASSWORD></USERNAME></P><P></P><P>!--- Specify the TACACS server ip address,i.e., ACS ip address</P><P>set tacacs server <IP-ADDR-ACS></IP-ADDR-ACS></P><P>set tacacs key <SECRET-TACACS-KEY></SECRET-TACACS-KEY></P><P>set tacacs timeout 30</P><P></P><P>!--- For backdoor purspose, specify authentication for </P><P>!--- login and enable via local database.</P><P>set authentication login local enable all</P><P></P><P>!--- Specifying authentication for login &amp; enable via TACACS</P><P>set authentication login tacacs enable telnet primary</P><P>set authorization exec enable tacacs+ none telnet</P><P></P><P>!--- Specifying accouting for exec level</P><P>set accounting exec enable start-stop tacacs+</P><P>!--- Specifying accounting for users telnetting out of the switch</P><P>set accounting connect enable start-stop tacacs+</P><P>!--- Accounts for system level changes over switch</P><P>set accounting system enable start-stop tacacs+</P><P>!--- For accounting events performed by users,i.e.,commands being issued</P><P>set accounting commands enable all start-stop tacacs+</P><P>/----------------------------------/</P><P></P><P>For 8.6:</P><P></P><P>Configuring the Switch Access Using AAA:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_6/confg_gd/authent.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_6/confg_gd/authent.htm</A></P><P></P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Fri, 22 Jun 2007 14:53:17 GMT https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765285#M420242 Premdeep Banga 2007-06-22T14:53:17Z https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765286#M420243 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do not put exec authorization, you do not have that in IOS config,</P><P></P><P>!--- Specifying authentication for login &amp; enable via TACACS</P><P>set authentication login tacacs enable telnet primary</P><P>set authorization exec enable tacacs+ none telnet</P><P></P><P>Instead, use this,</P><P></P><P>!--- Specifying authentication for enable</P><P>set authentication enable tacacs enable telnet</P><P></P><P>As you have "aaa authentication enable default group tacacs+ enable"</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Fri, 22 Jun 2007 14:59:53 GMT https://community.cisco.com/t5/network-access-control/catos-aaa-config/m-p/765286#M420243 Premdeep Banga 2007-06-22T14:59:53Z