cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4132
Views
5
Helpful
2
Replies
david.mitchell
Beginner

AAA Authorization named authorization list

Ladies and Gents,

Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below

Cisco.com extract below

When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.

Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.

My question is how do you define the Named Method List i.e. the none-default method list?

I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?

Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created

Thanks in advance

David

2 REPLIES 2
Travis Hysuick
Beginner

Hi David,

An example of a named AAA list might look something like this:

aaa authorization exec TacExec group AAASrv local

In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.

Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.

Below is a cut and paste from the AAA section on one of my devices:

aaa new-model

ip tacacs source-interface

tacacs-server host 10.x.x.x key 7

tacacs-server host 10.x.x.y key 7

aaa group server tacacs+ TacSrvGrp

server 10.x.x.x

server 10.x.x.y

!

aaa authentication login default local

aaa authentication login TacLogin group TacSrvGrp local

aaa authorization console

aaa authorization config-commands

aaa authorization exec default local

aaa authorization exec TacAuth group TacSrvGrp local

aaa authorization commands 0 default local

aaa authorization commands 0 TacCommands0 group TacSrvGrp local

aaa authorization commands 1 default local

aaa authorization commands 1 TacCommands1 group TacSrvGrp local

aaa authorization commands 15 default local

aaa authorization commands 15 TacCommands15 group TacSrvGrp local

aaa accounting exec default start-stop group TacSrvGrp

aaa accounting commands 15 default start-stop group TacSrvGrp

aaa session-id common

Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):

line con 0

exec-timeout 5 0

line aux 0

exec-timeout 5 0

line vty 0 4

exec-timeout 15 0

authorization commands 0 TacCommands0

authorization commands 1 TacCommands1

authorization commands 15 TacCommands15

authorization exec TacAuth

login authentication TacLogin

transport input ssh

For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.

One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.

Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.

Hope this helps!

Travis, thanks very much this excellent response to my initial posting, I do however has a couple of follow up questions refering to the creation of named-lists.

Extract

For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism

Just to clarify my understanding of this using your config, you have used the global command aaa authentication login default local and this will apply to all access methods (con, aux, vty) and as you have not specified any specific aaa commands on the Console line itself this global default config applies (referring to no named-lists).

However, if you were to add a more specific config directly to the Console such as login authentication TacLogin then you would override the global config and cause console access to be validated by AAA and more specifically the TacLogin group which in turn refers back to the tacacs servers within the TacSvrGrp?

Of course I wouldn’t do this for the reasons you have stated but may do this on VTY lines ••J

If my understanding is sound, I can see how you created the Named Method-list TacSvrGrp within the CLI output provided, but I can’t see where the TacLogin name-list has been configured?

Likewise with TacAuth and TacCommands15 etc?

Are these groups configured/defined on the ACS server perhaps?

Thanks in advance

David

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube