02-15-2007 04:28 AM - edited 03-10-2019 02:59 PM
Hello,
I am trying to create a tacacs config that will make sure that when you log onto the console you do not get tacacs and that we are on line login and local enable. If connectivity to the tacacs server is lost, the login for telnet defaults to the line password and uses the local enable password.
My config:
aaa authentication login default group tacacs+ line
aaa authentication login CONSOLE line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec CONSOLE none
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default if-authenticated
aaa authorization commands 1 CONSOLE none
aaa authorization commands 15 CONSOLE none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
line con 0
password xxxxx
authorization exec CONSOLE
login authentication CONSOLE
!
!
end
Thanks
msteinhoff
02-15-2007 06:57 AM
msteinhoff
Your config looks pretty good to me. For telnet authentication it should use tacacs and if tacacs is not available it will use the line password. The console will not use tacacs for authentication and will use the line password. Both telnet and console will use tacacs to authenticate enable and will fall back to the locally configured enable/enable secret if tacacs is not available.
Mostly I think the configuration of authorization is fine. I would suggest one minor fine tuning. Instead of:
aaa authorization exec CONSOLE none
I would suggest this:
aaa authorization exec CONSOLE if-authenticated
HTH
Rick
02-15-2007 08:51 AM
This is exactly what you need:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ group tacacs+
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection TAC start-stop group tacacs+
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
transport input ssh
This will give very fine control on what user(s) can and can not do. I use this configuration with Freeware TACACS and it
works wonder for me.
Good luck.
David
CCIE Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide