Need Suggestion for AAA authentication and authorization configuration

Akbar ali Sultan · ‎12-18-2014

Hi,

These tacacs+ config is configured in all access switches. Kindly assist me if there is anything missing config, in case ACS goes down am i able to login locally

Initial Config.

aaa new-model
aaa authentication login default group tacacs+ enable=======>   i changed here enable to Local
aaa authentication enable default group tacacs+ enable=======>   i removed this command is it ok or should i change enable to Local
aaa authorization config-commands
aaa authorization exec default group tacacs+ none=======>   Kindly Describe me this command
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Local username Password and enable secret configured in all devices

Thanks in Advance.

Marvin Rhoads · ‎12-24-2014

Both Authentication and Authorization method lists need to include "local" as the last method in the list. This would be as recommended by Cisco in the Cisco Validated Design (CVD) for wired LAN design.

That will ensure that not only can you login in the event that your TACACS servers are unavailable but that you are actually authorized to execute commands - always a good thing. :)

Akbar ali Sultan · ‎12-28-2014

aaa authorization exec default group tacacs+ none

so here what is the function of none command, should i changed it to local... ???

nspasov · ‎12-29-2014

Yes, changing that to "local" will ensure that the device checks the local database in case your TACACS+ server is down. If you choose to leave it at "none" then no authorization checks will be performed in a situation where the TACACS+ server is unavailable.

Thank you for rating helpful posts!