08-01-2011 03:08 AM - edited 03-10-2019 06:16 PM
Hi
I'm looking to migrate 100s of devices from local authentication to AAA. I have the code that I need to apply, but I can't think of a way how to automate this.
If I log onto a switch using the local username, I can then add the AAA config in global mode
aaa authentication login TACACS_LOCAL group TACACS_SERVERS local
aaa authorization console
aaa authorization config-commands
aaa authorization exec TACACS_LOCAL group TACACS_SERVERS local
aaa authorization commands 0 TACACS_LOCAL group TACACS_SERVERS local
aaa authorization commands 1 TACACS_LOCAL group TACACS_SERVERS local
aaa authorization commands 15 TACACS_LOCAL group TACACS_SERVERS local
aaa accounting exec TAC start-stop group TACACS_SERVERS
aaa accounting commands 0 TAC start-stop group TACACS_SERVERS
aaa accounting commands 1 TAC start-stop group TACACS_SERVERS
aaa accounting commands 15 TAC start-stop group TACACS_SERVERS
However, once I add the config for the line, authorization then kicks in (as I'm logged in as a local user) and denies any command entered, I then need to re-login to the switch using a AAA account and apply this code;
line vty 0 4
authorization commands 0 TACACS_LOCAL
authorization commands 1 TACACS_LOCAL
authorization commands 15 TACACS_LOCAL
authorization exec TACACS_LOCAL
accounting commands 0 TAC
accounting commands 1 TAC
accounting commands 15 TAC
accounting exec TAC
login authentication TACACS_LOCAL
I wanted to know if anyone has come up with a way of apply the code in one hit? I would ideally like to automate this using Cisco works, however I can't think of any ways, apart from add this code to the start-up config and re-booting...
Many thanks
Solved! Go to Solution.
08-04-2011 01:43 PM
No,
LMS usually uses TFTP to deploy configuration to devices. So the user shouldn't be an issue.
Go to Configuration -> Template Center -> Import
You can import a configuration from one of your devices by selcting one. When the config is fetched, you can remove the parts of the configuration you don't need and paste the aaa authentication into the window.
then click next,
there you can preselect the devices you want to consider for deployment. then click next.
if no configuration appears click next.
type the required information into the fields. click finish
I would recommend to create a template for removing the aaa configuration, but be aware that when you just type no aaa new-model the configuration is 100% removed, as soon you type again aaa new-model you have the old config merged with the new one. You have negotiate all your aaa commands followed by a no aaa new-model. (This costs me about 2 hours to figure out how to remove it.)
Next step is to deploy the config to a test device.
Go to Configuration -> Template Center -> deploy
Select your template then click next
Select your device -> click next
If you didn't configure any parameters click next
you can add some additionals configurations if you want, click next
Schedule your deployment then click finish
check for any problems during deployment, if everything worked fine you can log in to the device with your tacacs credentials.
if there are any problems with your template, export it and open it with an xml editor your choice and modify the template, import it and try again.
i've add a sample template
good luck
alex
08-03-2011 04:55 PM
Try adding the authorization command at the end of the script.
08-04-2011 10:01 AM
I recently deployed AAA by Cisco LMS 4.0 to a bunch of devices. I did a two step approach to make sure i dont get locked out.
i created two templates in the template center; one for authentication and accounting and one for the authorization. Start with authention and accounting in the first step. then the authorization.
Be aware that the configureation deployed with the template center has problems with saving the config to the startup config. I had to visit each device to save the config manually to the startup-config.
regards
alex
08-04-2011 10:46 AM
Hi Alex
Thanks for the reply mate.
Can you elaborate on these templates (I'm not familar with LMS), did you login for the second template using a AAA username/password?
Hi Tarik
Thanks mate - I should have elaborated and said I know that is the issue :-)
I can't apply ALL the code in one hit.
cheers
08-04-2011 10:54 AM
Hi Golly,
what version of LMS you're running?
Sure you can apply all code in one line, just make sure that the authorization part is at the end.
Deploying it in two step is just more easy.
08-04-2011 01:25 PM
Hi Alex
I think it's v4 mate.
I thought that Cisco Works would login and then apply the code - just like a normal user would do.
So if you do it in two parts, with 1st authentication + accounting, 2nd authorization.
The 1st login is using the local account, then the 2nd login would surley need to login using an account that can be authentciated back to the ACS?
If the 2nd login used the local account then it would fail, as it would not be authenticated via ACS.
cheers
08-04-2011 01:43 PM
No,
LMS usually uses TFTP to deploy configuration to devices. So the user shouldn't be an issue.
Go to Configuration -> Template Center -> Import
You can import a configuration from one of your devices by selcting one. When the config is fetched, you can remove the parts of the configuration you don't need and paste the aaa authentication into the window.
then click next,
there you can preselect the devices you want to consider for deployment. then click next.
if no configuration appears click next.
type the required information into the fields. click finish
I would recommend to create a template for removing the aaa configuration, but be aware that when you just type no aaa new-model the configuration is 100% removed, as soon you type again aaa new-model you have the old config merged with the new one. You have negotiate all your aaa commands followed by a no aaa new-model. (This costs me about 2 hours to figure out how to remove it.)
Next step is to deploy the config to a test device.
Go to Configuration -> Template Center -> deploy
Select your template then click next
Select your device -> click next
If you didn't configure any parameters click next
you can add some additionals configurations if you want, click next
Schedule your deployment then click finish
check for any problems during deployment, if everything worked fine you can log in to the device with your tacacs credentials.
if there are any problems with your template, export it and open it with an xml editor your choice and modify the template, import it and try again.
i've add a sample template
good luck
alex
08-05-2011 02:59 PM
Hi Mate
I got our moniroting guy to implement this today and it worked like a charm.
THANK YOU SO MUCH!!! :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide