AAA configuration tuning

a00000001 · ‎01-14-2013

Goals:

1) have AAA authenticate, authorize, log all commands the users have entered;

2) don't use the default aaa keyword to avoid unexpected behavior;

I could not find any papers dealing with the issues in a single configuration and not using default methods. I have come up with this:

aaa new-model
aaa group server tacacs+ TacGroup1
 server-private 192.168.1.1 key mysharedkey
!
aaa authentication login TacAuth group TacGroup1
aaa authorization commands 0 TacPerm group TacGroup1
aaa authorization commands 1 TacPerm group TacGroup1
aaa authorization commands 15 TacPerm group TacGroup1
aaa accounting commands 0 TacAcc start-stop group TacGroup1
aaa accounting commands 1 TacAcc start-stop group TacGroup1
aaa accounting commands 15 TacAcc start-stop group TacGroup1
!
line vty 10
login authentication TacAuth
accounting commands 0 TacAcc
accounting commands 1 TacAcc
accounting commands 15 TacAcc
authorization commands 0 TacPerm
authorization commands 1 TacPerm
authorization commands 15 TacPerm

Assuming I'm not lacking somethig critical, what more do I need to get this working?

Additionally, why do I need to reference accouting/authorization levels under line vty when they are referenced in the respective methods in the global conf mode?

Amjad Abdullah · ‎01-15-2013

What does the method name TacPerm refer to?

This must refer to the method configured in the previous command

aaa authentication login TacAuth group TacGroup1

The defined method is TacAuth. This word must be used with the auth command:

aaa authorization commands 0 TacAuth group TacGroup1.

and

authorization commands 0 TacPerm

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"