ACS - AAA fundamental questions

jacob6000 · ‎09-19-2014

1) In some documentation/blogs it mentions the use of the "login authentication default" under line con 0 and line vty 0 15. My config is working when I ssh or console to the box but I don't have these commands under the mentioned interfaces. What is the deal with this? Is this normal?

From another blog: "These commands will not appear in the running configuration if the default method list is specified."

2) How do the two groups mentioned below work? How do they relate to the ACS configuration. This is an inherited config and I don't understand the correlation/dynamics.

aaa group server tacacs+ ACS1
server 172.16.30.41
server 172.16.30.42
!
aaa group server tacacs+ ACS2
server 172.16.30.41
server 172.16.30.42
!
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Thank you,

nspasov · ‎09-21-2014

For #1 - Some commands are hidden if they are the default commands. You can view those by issuing "show run all"

For #2 - The server groups define your TACACS+/ACS servers. Then the "AAA" commands define how users would be authenticated and authorized when access the device. In your configuration the default authentication method will use your ACS servers, if the servers are for some reason unavailable then the local "enable" secret will be used. For authorization, the device will first use your TACACS+ servers, if for some reason the TACACS+ servers are not available then the local database will be used and if for some reason the local database is not available then no other methods will be tried and the user will be automatically authorized on the device.

The syntax though is a bit messy and confusing. For instance, you have two different TACACS groups but they are both calling the same IPs. Perhaps a this could be a cleaned up a bit. For instance,

tacacs server ACS1
address ipv4 172.16.30.41
key your_secret_key
!
tacacs server ACS2
address ipv4 172.16.30.42
key your_secret_key
!
aaa group server tacacs+ ACS
server name ACS1
server name ACS2
!
aaa authentication login default group ACS enable
aaa authorization exec default group ACS local none
aaa authorization commands 14 default group ACS local none
aaa authorization commands 15 default group ACS local none
etc....
aaa accounting commands 14 default start-stop group ACS
aaa accounting commands 15 default start-stop group ACS
etc...

I highly recommend that you do this on a test switch and not on your production environment.

Thank you for rating helpful posts!

jacob6000 · ‎09-22-2014

Well, my tacacs config works and a "sh run all" doesn't show any lines under the VTY interfaces so I am still unclear as to, if the command is needed or not.

In regards to #2, the only reason I can find to have a SECOND group is if they have different keys. It seems like it could be more usefu.

saxenanitesh8522 · ‎09-22-2014

Hi,

Point 1:-

Those are default commands which enables aaa on those console and vty lines

that's when you put "aaa authentication login default group tacacs+ enable" this corresponds to the login authentication default part in the lines configuration.

if you had a named "aaa authentication login ACS-SSH group tacacs+ enable" then you have given the command under

line console 0

login authentication ACS-SSH (approx commands)

Default means by default this will be enabled.

As to see those commands, you should be able to from show run all but it depends on the IOS also if those commands can be seen you alternavitely try more more system:running-config.

Please rate if helpful..