11-17-2008 10:04 AM - edited 03-10-2019 04:11 PM
I am trying to setup login authentication on all of our Cisco switches. I have created an Windows AD group called NetworkAdmins and added the correct users to that group. Inside of ACS I did a group mapping and mapped my ACS group called NetworkAdmins to my Windows NetworkAdmins group.
I configure my Cisco 3750 with the following commands for authentication.
aaa new-model
aaa authentication login NetworkAdmins group tacacs+ local
aaa authorization exec NetworkAdmins group tacacs+ local
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa session-id common
The authentication does work, but it authenticates to any user, not just to the users in the NetworkAdmins group. How do I tell the switch to only authenticate on the NetworkAdmins group?
Thanks for the help!!
Solved! Go to Solution.
11-17-2008 10:44 AM
In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).
Hope that helps.
11-17-2008 10:44 AM
In ACS, under your group settings configure NAR to allow AAA clients. Under the default group in ACS configure NAR to deny all for AAA clients (or necessary ones).
Hope that helps.
11-17-2008 12:02 PM
That appears to have worked. Thanks so much for the help!!! I do have one more question. Once the user is logged in, I issue the "enable" command. When I issue the enable command the switch asks for the enable password. I have the user setup with level 15 privileges, shouldn't the user go right to enable mode without having to type the enable password? How do I setup the user to go straight to enable mode when they login, instead of having to enter the local enable password.
Thanks again
11-17-2008 01:18 PM
In your router/switch...
config t
line vty 0 4
privilege level 15
That should do it! You can't do it with firewalls, they force you to enter the enable password.
11-17-2008 01:22 PM
Excellent!! Is there anyway to do it per user instead of any vty session?
Thanks again!!!!
11-17-2008 01:24 PM
Not that I know of. You can setup different authorization groups for people that should not have access to all commands though.
11-17-2008 01:36 PM
Would you specify the authorizations groups using the following command then?
aaa authorization commands 3 NetworkUsers group tacacs+ local
11-17-2008 01:43 PM
11-18-2008 06:19 AM
I haven't got this part working yet, but thanks for the info. Your documentation is great!!!!
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide