topic Re: aaa authentication enable default group tacacs+ enable in Network Access Control

aaa authentication enable default group tacacs+ enable

cassinhee — Sun, 10 Mar 2019 21:50:29 GMT

I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command

aaa authentication enable default group tacacs+ enable

what will happen if I login via console? Will I be required to enter any username/password?

Below is my configuration

aaa new-model

aaa authentication login authvty group TACACS + local

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 authvty TACACS+ local

TACACS-server host IP

Tacacs-server key key

Ip tacacs source-interface VLAN 3

aaa accounting send stop-record authentication failure

aaa accounting delay-start

aaa accounting exec authvty start-stop group tacacs+

aaa accounting commands 15 authvty start-stop group tacacs+

aaa accounting connection authvty start-stop group tacacs+

line vty 0 15

authorization commands 15 authvty

accounting connection authvty

accounting commands 15 authvty

accunting exec authvty

Any suggestion will be appreciated!

Re: aaa authentication enable default group tacacs+ enable

a.kiprawih — Wed, 15 Nov 2006 04:47:44 GMT

If you set:

aaa authentication enable default group tacacs+ enable

which carry 'default' keyword, all access (console, vty) will have to go TACACS authentication.

If you want to skip it, you need to define

dedicated/separate group name (never use default) and point it to 'local'.

HTH

Re: aaa authentication enable default group tacacs+ enable

cassinhee — Wed, 15 Nov 2006 13:52:44 GMT

when I try this command, there is only default available.

another question is, if I use the following commands,

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ local

what exactly 'default' will works on, I know it includes vty, console, aux, how about other interfaces, such as dsl dial-in interface?

Thanks!

Re: aaa authentication enable default group tacacs+ enable

a.kiprawih — Wed, 15 Nov 2006 14:48:04 GMT

Default will include all, unless if you specified different method which is using different name.

That's why sometimes you need, for example, separate authentication for console where physical security is no longer an issue. So, if you're unable to login via telnet, ssh or https, Console access (with user given privilege 15 access right) can provide last resort access method.

example:

aaa authentication local CONSOLE local --> authenticate using local user account only

aaa authentication login authvty group TACACS + local

HTH

Re: aaa authentication enable default group tacacs+ enable

a.kiprawih — Wed, 15 Nov 2006 14:49:40 GMT

BTW, you need to apply it the same way how you apply the 'authvty' on vty interface.

Re: aaa authentication enable default group tacacs+ enable

cassinhee — Wed, 15 Nov 2006 15:55:39 GMT

how about this command

aaa authentication enable default group tacacs+ local

will this also works on dial-in interface?

Thanks for your help

Re: aaa authentication enable default group tacacs+ enable

cassinhee — Wed, 15 Nov 2006 16:29:32 GMT

1)Following the configuration for ppp authentication on dial-in router. this is through radius server

aaa new-model

aaa authentication login default local

aaa authentication ppp qwe group radius

aaa authorization network qwe start-stop group radius

interface interface

ppp authentication chap callin qwe

ppp authorization qwe

ppp accounting qwe

My configuration will be as follows and this is via TACACS+ server

aaa new-model

aaa authentication login default group TACACS + local

aaa authentication enable default group tacacs+

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

TACACS-server host host

Tacacs-server key key

Ip tacacs source-interface

3) will this second configuration cause any effect on the ppp authentication/authorization?

Thanks

Re: aaa authentication enable default group tacacs+ enable

Richard Burts — Wed, 15 Nov 2006 16:40:18 GMT

kai

I have configured a router to support dial in/ppp connections and it is very similar to what you have in your posting. It sends dial/ppp requests to a radius server for authentication and sends administrative users (console and vty) to a TACACS server for authentiation. The two authentication functions (radius and TACACS) operate independtly and do not have any effect on each other.

HTH

Rick

Re: aaa authentication enable default group tacacs+ enable

a.kiprawih — Wed, 15 Nov 2006 20:19:22 GMT

The radius authentication/authorization for the dial-in router looks fine.

As for the second config, it is also correct as well if you do not define anything on the interface. The 'default' keyword will kick-in the authentication/authorization for you.

Except here you're using TACACS+ instead of common RADIUS protocol to authenticate the passing-through access. Also, maybe you need to consider adding the optional "if-authenticated" keyword as well. This allows the already authenticated user to just login without being asked (if suddenly being kicked out or session hang) for his/her username/pwd again.

Rick was also right pointing it out.

Pls rate all post(s).

HTH

Re: aaa authentication enable default group tacacs+ enable

cassinhee — Wed, 15 Nov 2006 20:33:04 GMT

Thanks AK and Rick! This is really big help for me. I have been struggling on this for a while.

Another question is when I use the following commands

1)aaa authentication banner rrr

2)aaa authentication user-prompt rrr

3)aaa authentication password-prompt rrr

the first one seems never works

the second and third only works when the tacacs+ server does not work, which means only when backup authentication is used, these two will work

thx

Re: aaa authentication enable default group tacacs+ enable

a.kiprawih — Wed, 15 Nov 2006 21:07:39 GMT

It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.

If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:

************************************************************

*** Username: cisco, Password: cisco (priv 15f - local) ****

************************************************************

Unauthorized use is prohibited.

Enter your name here: user1

Enter your password now:

Router#

The config more or less looks like:

aaa new-model

aaa authentication banner ^CUnauthorized use is prohibited.^C

aaa authentication password-prompt "Enter your password now:"

aaa authentication username-prompt "Enter your name here:"

aaa authentication login default group radius

aaa authentication login CONSOLE local

HTH