cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1466
Views
0
Helpful
7
Replies
golly_wog
Beginner

Moving to AAA from local authentication on 100s of devices on production network

Hi

I'm looking to migrate 100s of devices from local authentication to AAA. I have the code that I need to apply, but I can't think of a way how to automate this.

If I log onto a switch using the local username, I can then add the AAA config in global mode

aaa authentication login TACACS_LOCAL group TACACS_SERVERS local

aaa authorization console

aaa authorization config-commands

aaa authorization exec TACACS_LOCAL group TACACS_SERVERS local

aaa authorization commands 0 TACACS_LOCAL group TACACS_SERVERS local

aaa authorization commands 1 TACACS_LOCAL group TACACS_SERVERS local

aaa authorization commands 15 TACACS_LOCAL group TACACS_SERVERS local

aaa accounting exec TAC start-stop group TACACS_SERVERS

aaa accounting commands 0 TAC start-stop group TACACS_SERVERS

aaa accounting commands 1 TAC start-stop group TACACS_SERVERS

aaa accounting commands 15 TAC start-stop group TACACS_SERVERS

However, once I add the config for the line, authorization then kicks in (as I'm logged in as a local user) and denies any command entered, I then need to re-login to the switch using a AAA account and apply this code;

line vty 0 4

authorization commands 0 TACACS_LOCAL

authorization commands 1 TACACS_LOCAL

authorization commands 15 TACACS_LOCAL

authorization exec TACACS_LOCAL

accounting commands 0 TAC

accounting commands 1 TAC

accounting commands 15 TAC

accounting exec TAC

login authentication TACACS_LOCAL

I wanted to know if anyone has come up with a way of apply the code in one hit? I would ideally like to automate this using Cisco works, however I can't think of any ways, apart from add this code to the start-up config and re-booting...

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions

No,

LMS usually uses TFTP to deploy configuration to devices. So the user shouldn't be an issue.

Go to Configuration -> Template Center -> Import

You can import a configuration from one of your devices by  selcting one. When the config is fetched, you can remove the parts of  the configuration you don't need and paste the aaa authentication into  the window.

then click next,

there you can preselect the devices you want to consider for deployment. then click next.

if no configuration appears click next.

type the required information into the fields. click finish

I  would recommend to create a template for removing the aaa  configuration, but be aware that when you just type no aaa new-model the  configuration is 100% removed, as soon you type again aaa new-model you  have the old config merged with the new one. You have negotiate all  your aaa commands followed by a no aaa new-model. (This costs me about 2  hours to figure out how to remove it.)

Next step is to deploy the config to a test device.

Go to Configuration -> Template Center -> deploy

Select your template then click next

Select your device -> click next

If you didn't configure any parameters click next

you can add some additionals configurations if you want, click next

Schedule your deployment then click finish

check for any problems during deployment, if everything worked fine you can log in to the device with your tacacs credentials.

if  there are any problems with your template, export it and open it with  an xml editor your choice and modify the template, import it and try  again.

i've add a sample template

good luck

alex

View solution in original post

7 REPLIES 7
Tarik Admani
Advocate

Try adding the authorization command at the end of the script.

I recently deployed AAA by Cisco LMS 4.0 to a bunch of devices. I did a two step approach to make sure i dont get locked out.

i created two templates in the template center; one for authentication and accounting and one for the authorization. Start with authention and accounting in the first step. then the authorization.

Be aware that the configureation deployed with the template center has problems with saving the config to the startup config. I had to visit each device to save the config manually to the startup-config.

regards

alex

Hi Alex

Thanks for the reply mate.

Can you elaborate on these templates (I'm not familar with LMS), did you login for the second template using a AAA username/password?

Hi Tarik

Thanks mate - I should have elaborated and said I know that is the issue :-)

I can't apply ALL the code in one hit.

cheers

Hi Golly,

what version of LMS you're running?

Sure you can apply all code in one line, just make sure that the authorization part is at the end.

Deploying it in two step is just more easy.

Hi Alex

I think it's v4 mate.

I thought that Cisco Works would login and then apply the code - just like a normal user would do.

So if you do it in two parts, with 1st authentication + accounting, 2nd authorization.

The 1st login is using the local account, then the 2nd login would surley need to login using an account that can be authentciated back to the ACS?

If the 2nd login used the local account then it would fail, as it would not be authenticated via ACS.

cheers

No,

LMS usually uses TFTP to deploy configuration to devices. So the user shouldn't be an issue.

Go to Configuration -> Template Center -> Import

You can import a configuration from one of your devices by  selcting one. When the config is fetched, you can remove the parts of  the configuration you don't need and paste the aaa authentication into  the window.

then click next,

there you can preselect the devices you want to consider for deployment. then click next.

if no configuration appears click next.

type the required information into the fields. click finish

I  would recommend to create a template for removing the aaa  configuration, but be aware that when you just type no aaa new-model the  configuration is 100% removed, as soon you type again aaa new-model you  have the old config merged with the new one. You have negotiate all  your aaa commands followed by a no aaa new-model. (This costs me about 2  hours to figure out how to remove it.)

Next step is to deploy the config to a test device.

Go to Configuration -> Template Center -> deploy

Select your template then click next

Select your device -> click next

If you didn't configure any parameters click next

you can add some additionals configurations if you want, click next

Schedule your deployment then click finish

check for any problems during deployment, if everything worked fine you can log in to the device with your tacacs credentials.

if  there are any problems with your template, export it and open it with  an xml editor your choice and modify the template, import it and try  again.

i've add a sample template

good luck

alex

View solution in original post

Hi Mate

I got our moniroting guy to implement this today and it worked like a charm.

THANK YOU SO MUCH!!! :-)

Content for Community-Ad