11-06-2013 05:11 AM - edited 03-10-2019 09:04 PM
Hi,
I am trying to create a TACACS config that will make sure that when you log onto the CONSOLE or VTY you get TACACS challenge and if TACACS server is down then fall back to local user/password and local enable password.
Please advise that I have followed the Cisco best practices, that will help many others to follow;
Thanks and kind Regards,
Username cisco secret cisco123
Enable secret cisco456
aaa authentication login network-access group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated none
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ local if-authenticated ( whats the difference between this and just below command & which command to use)
or
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line vty 0 15
login authentication network-access
line console 0
login authentication network-access
Solved! Go to Solution.
11-11-2013 07:27 AM
Q1) Your configuration should work for both types of users.
Q2) authorization and accounting at all levels will increase the amount of network traffic and increase the storage requirements on the server. You need to decide on the basis of your organization and your requirements whether the extra traffic and increased storage is justifiable.
HTH
Rick
11-10-2013 04:34 AM
Any help will be very much appreciated
Sent from Cisco Technical Support iPhone App
11-10-2013 05:39 AM
The syntax of what you have posted looks ok. There is not any configuration for a TACACS server and without that the config will not work.
I wonder about the choice to create a named method for user authentication rather than just using the default. (I am usually of the opinion that simpler is better but what you have configured should work)
The difference in the commands for authorization of level 15 is that your first option (which I believe is the preferred approach) offers a backup option if the TACACS server is not available and continues to offer some level of protection. Your second alternative says that if TACACS is not available then do not be concerned about authorization at all.
HTH
Rick
11-11-2013 02:09 AM
Hi,
As per your suggestion, I have tried to make it simple as below; please advice that is it better than above.
Q1: Also If in Cisco ACS, I have configured that user-1, have read-only access, and user-2 has full level 15 access, do this ACS configuration will work for both type of users with my below IOS configurations;
Q2: Do you prefer to user authorization and accounting commands at all levels or just command 15 is ok/works.
aaa authorization commands 0
aaa authorization commands 1
aaa authorization commands 15
aaa accounting commands 0
aaa accounting commands 1
aaa accounting commands 15
New Configurations as per suggestions:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Username cisco secret cisco123
Enable secret cisco456
aaa new-model
aaa authentication login network-access group tacacs+ local enable
aaa authentication enable default group tacacs+ enable Comment (Do you prefer network-access, instead of default)
aaa authorization exec default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line con 0
login authentication network-access
exit
line vty 0 15
login authentication network-access
exit
tacacs-server host IP_Address key SNMP_String
Thanks for advice, its very much appreciated.
11-11-2013 07:27 AM
Q1) Your configuration should work for both types of users.
Q2) authorization and accounting at all levels will increase the amount of network traffic and increase the storage requirements on the server. You need to decide on the basis of your organization and your requirements whether the extra traffic and increased storage is justifiable.
HTH
Rick
11-11-2013 03:32 PM
you configuration looks ok but for reference kindly check the following link
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide