05-12-2003 02:33 PM - edited 03-10-2019 07:17 AM
We have ACS 3.1 server to AAA authentication for all routers and switches. I want each person to log on the router using his own id, password and enable password. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What's the proper way to do this? I also want to track all commands entered on the router.
This is what I have:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs enable
aaa authentication enable default group tacacs+ line
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
username admin password 7 xxxxxxxxxxxxxxxx
!
!
line con 0
login authentication no_tacacs
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
Solved! Go to Solution.
05-13-2003 10:59 AM
Yes, thats right Joy. Thanks, Mynul
05-12-2003 04:42 PM
Hi,
Your config looks good for what you want to do, only issue you have is that you cannot have different enable password for different users when they are using local database. When you are using the local database you will use only one enable password.
Thanks
Sujit
05-12-2003 04:51 PM
Hi,
This is how its working now as per the config:
-Your console port is authenticated using enable password
-For your telnet sessions:
You are getting authenticated via tacacs+ server, if its unvailable then it falls back to local database. But your enable authentication falls back to the line password.
Now if you want to authenticate/authorize and want to get accounting records using tacacs server and then if its unavailable fall back to local database for login and for enable authen, fall back to enable password, then this is what you might want to do:
aaa new-model
aaa authentication login default group tacacs+ local
no aaa authentication login no_tacacs enable <--Remove this
no aaa authentication enable default group tacacs+ line<--Remove this
aaa authentication enable default group tacacs+ enable <---Add this
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local <--Add this to cover level 0 commands
aaa authorization commands 1 default group tacacs+ local <--Add this to cover level 1 commands
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+ <-For level 0 accounting
aaa accounting commands 1 default start-stop group tacacs+ <--For level 1 acocunting
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console --> This is required if you want to authorize console port.
also, please don't forget to remove the following line from console port:
line con 0
no login authentication no_tacacs
NOTE: Please don't forget to create atleast one admin account with priv level 15 before you apply the above commands:
username admin privilege 15 password cisco
I hope this help ! Thanks,
Mynul
05-13-2003 08:32 AM
Hi Mynul,
Thank you for the config. Now if I use this config, then for the console port I need to authenticate with Tacacs server, if the server fails am I using the admin account that I create with priv level 15?
This also holds true for telnet access also?
Thanks..Joy
05-13-2003 10:59 AM
Yes, thats right Joy. Thanks, Mynul
05-14-2003 11:16 AM
Thank you for your help.
08-01-2003 02:00 PM
Hi,
I want to know one more thing,
can we give all writes equal to Administrator.
means all log details a copy to one more user.
Regards
Kiran Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide