10-02-2012 03:40 AM - edited 03-10-2019 07:37 PM
Ladies and Gents,
Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
Cisco.com extract below
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
My question is how do you define the Named Method List i.e. the none-default method list?
I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
Thanks in advance
David
10-03-2012 07:46 AM
Hi David,
An example of a named AAA list might look something like this:
aaa authorization exec TacExec group AAASrv local
In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
Below is a cut and paste from the AAA section on one of my devices:
aaa new-model
ip tacacs source-interface
tacacs-server host 10.x.x.x key 7
tacacs-server host 10.x.x.y key 7
aaa group server tacacs+ TacSrvGrp
server 10.x.x.x
server 10.x.x.y
!
aaa authentication login default local
aaa authentication login TacLogin group TacSrvGrp local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group TacSrvGrp local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group TacSrvGrp local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group TacSrvGrp local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group TacSrvGrp local
aaa accounting exec default start-stop group TacSrvGrp
aaa accounting commands 15 default start-stop group TacSrvGrp
aaa session-id common
Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 15 0
authorization commands 0 TacCommands0
authorization commands 1 TacCommands1
authorization commands 15 TacCommands15
authorization exec TacAuth
login authentication TacLogin
transport input ssh
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
Hope this helps!
10-04-2012 01:13 AM
Travis, thanks very much this excellent response to my initial posting, I do however has a couple of follow up questions refering to the creation of named-lists.
Extract
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism
Just to clarify my understanding of this using your config, you have used the global command aaa authentication login default local and this will apply to all access methods (con, aux, vty) and as you have not specified any specific aaa commands on the Console line itself this global default config applies (referring to no named-lists).
However, if you were to add a more specific config directly to the Console such as login authentication TacLogin then you would override the global config and cause console access to be validated by AAA and more specifically the TacLogin group which in turn refers back to the tacacs servers within the TacSvrGrp?
Of course I wouldn’t do this for the reasons you have stated but may do this on VTY lines ••J
If my understanding is sound, I can see how you created the Named Method-list TacSvrGrp within the CLI output provided, but I can’t see where the TacLogin name-list has been configured?
Likewise with TacAuth and TacCommands15 etc?
Are these groups configured/defined on the ACS server perhaps?
Thanks in advance
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide