cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
10
Helpful
10
Replies

Getting starting with AAA

umamon
Level 1
Level 1

Hi, I justed installed ACS 4.1 for Windows, I've added a user account and a router, my router can communicate with the ACS server, I can authenticate to the router, but my authentication will not take me into enable (or priviledge) mode. It takes me right to the user mode. From the server I tried granting priv 15 to my user group and also to me as a user still doesn't work. I have the basic configuration on the router

aaa new-model

aaa authentication login susd group tacacs+ local

tacacs-server host 10.x.x.x

tacacs-server directed-request

tacacs-server key xxxx

Can someone help a rookie out.

2 Accepted Solutions

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

Try this:

ROUTER#config t

Enter configuration commands, one per line. End with CNTL/Z.

ROUTER(config)#line vty 0 4

ROUTER(config-line)#privilege level 15

ROUTER(config-line)#end

ROUTER#

HTH

View solution in original post

Ah I guess you're using a named authorization method rather than the default one which is why it need applying to the VTY lines. The default method would apply to all lines where not already configured.

View solution in original post

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

Try this:

ROUTER#config t

Enter configuration commands, one per line. End with CNTL/Z.

ROUTER(config)#line vty 0 4

ROUTER(config-line)#privilege level 15

ROUTER(config-line)#end

ROUTER#

HTH

Hi HTH,

Thanks that worked!

john.dowson
Level 1
Level 1

You can also achieve this using TACACS authorization. Enter the following command in global configuration mode:

aaa authorization exec default group tacacs+ local

This will enable the router to put you into your assigned privileged mode as configured on the ACS.

I think this is actually the way I wanna go, so I can take advantage of aaa logging.

If I use this authorization command should I remove the privilege login from my VTY lines?

Yes, you don't need the privilege level set on the VTY lines when using the authorization method.

John

Thanks John,

That gave me exactly what i was looking for. I also had to place the authorization command on the line.

Ah I guess you're using a named authorization method rather than the default one which is why it need applying to the VTY lines. The default method would apply to all lines where not already configured.

John,

Do you think that the default method is the better way to go? I guess it would since I don't have to configure the lines.

Default is a good option to use if you are not using any method-list.

Default key word cover all interfaces accept serial.

Regards,

~JG

Thanks John, You've been a big help.