12-26-2008 04:29 AM - edited 03-10-2019 04:15 PM
hi,
I am new to Cisco ACS server for windows.I am testing it on Cisco 1700 series router.
I have created two users in ACS having different shell command authorization sets. And i have created one local user in Router.I am successfully able to login on router with both ACS users through telnet & Console.
But i am stucking with some requirements which i need to test.
requirements:
1). When my ACS is running,I should use only my ACS users for logging in the device,whether throgh telnet or console.
2). If my ACS is down, then I should be able to logged in the device through the local user created in it.This way device will not locked down due to the absense of AAA.
I have almost achieved my first requirement.But I am stucking in my II requirement. Require your help please.
Router configuration enclosed!!
Solved! Go to Solution.
12-27-2008 01:45 PM
Hi Raj,
Here you go,
aaa authentication login default group tacacs local
It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.
aaa authentication enable default group tacacs enable
Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router
aaa authorization console
This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.
aaa authorization config-commands
Enabled command authoriztion for global config mode
aaa authorization exec default group tacacs if-authenticated
This enabled authorization for telnet (exec) sessions
aaa authorization commands 1 default group tacacs+ if-authenticated
Enabled command authorization for level 1 command
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Accounting commands are self explanatory.
=======================
Using 'none' versus 'if-authenticated' as backup method for authorization-
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.
Regards,
~JG
Do rate helpful posts
02-16-2009 06:53 AM
Hi Raj,
Command accounting is listed under tacacs administration report and not in tac accounting.
If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.
Regards,
~JG
Do rate helpful posts
12-26-2008 05:39 AM
Raj,
Here are the commands that you need,
aaa authentication login default group tacacs local
aaa authentication enable default group tacacs enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Regards,
~JG
Do rate helpful posts
12-27-2008 09:15 AM
Dear JG,
Thanks for your help!!
1 more favor.. Can u describe the meaning of the commands you have given above. (Only brief description..).I will be thankful to you!!
12-27-2008 01:45 PM
Hi Raj,
Here you go,
aaa authentication login default group tacacs local
It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.
aaa authentication enable default group tacacs enable
Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router
aaa authorization console
This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.
aaa authorization config-commands
Enabled command authoriztion for global config mode
aaa authorization exec default group tacacs if-authenticated
This enabled authorization for telnet (exec) sessions
aaa authorization commands 1 default group tacacs+ if-authenticated
Enabled command authorization for level 1 command
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Accounting commands are self explanatory.
=======================
Using 'none' versus 'if-authenticated' as backup method for authorization-
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.
Regards,
~JG
Do rate helpful posts
12-28-2008 10:07 PM
bingo JG...thanks for ur help!!!
Will seek ur help in the future probs!!
02-13-2009 11:40 PM
I have configured accountng commands but the Cisco ACS doesn't show any reports on Command accounting.It is authorizing it very well but the command accounting reports are not coming.Can any one help?
02-16-2009 06:53 AM
Hi Raj,
Command accounting is listed under tacacs administration report and not in tac accounting.
If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.
Regards,
~JG
Do rate helpful posts
02-24-2009 04:23 AM
Yes..I have upgraded it with patch & its working now...
Thanks JG!!! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide