Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5315
Views
20
Helpful
5
Replies

aaa authentication login default group radius local command?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎03-17-2020 10:12 AM

 

Just trying to confirm some things with the below command. Are the group names configured on your actual ACS or Radius server that you are using? If you only have one default group in there or 1 group that is when you can just specify Radius below correct? 

 

 
aaa authentication login default group radius local

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-18-2020 05:39 AM

Hi,

 

    The AAA server name convention is locally significant, it doesn't need to match between the NAD and the NAS. What you're seeing on the CLI, referencing an AAA server in your AAA commands by the keyword of "radius"/"tacacs" or by the AAA server group name, like a group named MY_RADIUS_SERVERS, has to do with the AAA architecture evolution on the IOS side. Historically speaking:

         1. Initially, long time ago, you would define your AAA servers globally, via radius/tacacs specific command configuration, and in order to reference these in your authentication,authorizatio,accounting commands, you would use the radius/tacacs keyword in order to point to the globally defined servers. For example:

 

aaa new-model

!

radius-server host 1.1.1.1 key ciscoradius

tacacs-server host 2.2.2.2 key ciscotacacs

!

aaa authentication login default group tacacs+ local

aaa authorization network default group radius 

aaa session-id common

 

     2. Afterwards, in order to allow VRF-aware AAA and make the AAA architecture more scalable (for example allow to group your AAA servers, instead of globally configuring all of them and not being able to reference just some), the AAA group server feature was added.

 

NON-vrf aware configuration still requires the key to be configured globally, so you would configure the AAA server both globally to define the key, and at the AAA group level to specify which of the globally defined servers you're using:

 

 

aaa new-model

!

tacacs-server host 5.5.5.5 key ciscotacacs

tacacs-server host 6.6.6.6 key ciscotacacs

radius-server host 3.3.3.3 key ciscoradius

radius-server host 4.4.4.4 key ciscoradius

!

aaa group server radius ALL_RADIUS

 server 3.3.3.3

aaa group server tacacs+ ALL_TACACS

 server 5.5.5.5

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

If you want VRF-aware AAA, one of the reasons for which AAA grouping was allowed, you configure everything under the AAA group, you no longer need servers to be the globally defined, you can specify the key at the group level:

 

aaa new-model

!

aaa group server radius ALL_RADIUS

 server-private 3.3.3.3 key ciscoradius

 server-private 4.4.4.4 key ciscoradius

 ip vrf forwarding AAA

aaa group server tacacs+ ALL_TACACS

 server-private 5.5.5.5 key ciscotacacs

 server-private 6.6.6.6 key ciscotacacs

 ip vrf forwarding AAA

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

  3. Finally, what you should be using today, which gives you total control and scalability over your AAA configuration is to define each of your AAA server independently, reference which server(s) you need into which AAA server groups, and reference the AAA server groups in your authentication/authorization/accounting commands:

 

radius server FIRST_RADIUS

 address ipv4 7.7.7.7 

 key ciscoradius

!

radius server SECOND_RADIUS

 address ipv4 8.8.8.8 

 key ciscoradius

!

!

tacacs server FIRST_TACACS

 address ipv4 9.9.9.9 

 key ciscotacacs

!

radius server SECOND_TACACS

 address ipv4 10.10.10.10 

 key ciscotacacs

!

aaa group server radius ALL_RADIUS

 server name FIRST_RADIUS

 server name SECOND_RADIUS

!

aaa group server radius ALL_TACACS

 server name FIRST_TACACS

 server name SECOND_TACACS

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

Regards,

Cristian Matei.

 

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-17-2020 10:36 AM

as per my understand you are kind of correct. (since we dont know full configuraiton hard to say the outcome)

 

instead i suggest some reference :

 

https://community.cisco.com/t5/security-documents/aaa-sample-config/ta-p/3143393

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-17-2020 01:09 PM

I do not fully understand the question, especially this part

"If you only have one default group in there or 1 group that is when you can just specify Radius below correct?" 

but the other part of the question is more clear

"Are the group names configured on your actual ACS or Radius server that you are using?"

and the answer is that the group names used in the device configuration do not need to match anything in the ACS or Radius server.

HTH

Rick

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-18-2020 05:39 AM

Hi,

 

    The AAA server name convention is locally significant, it doesn't need to match between the NAD and the NAS. What you're seeing on the CLI, referencing an AAA server in your AAA commands by the keyword of "radius"/"tacacs" or by the AAA server group name, like a group named MY_RADIUS_SERVERS, has to do with the AAA architecture evolution on the IOS side. Historically speaking:

         1. Initially, long time ago, you would define your AAA servers globally, via radius/tacacs specific command configuration, and in order to reference these in your authentication,authorizatio,accounting commands, you would use the radius/tacacs keyword in order to point to the globally defined servers. For example:

 

aaa new-model

!

radius-server host 1.1.1.1 key ciscoradius

tacacs-server host 2.2.2.2 key ciscotacacs

!

aaa authentication login default group tacacs+ local

aaa authorization network default group radius 

aaa session-id common

 

     2. Afterwards, in order to allow VRF-aware AAA and make the AAA architecture more scalable (for example allow to group your AAA servers, instead of globally configuring all of them and not being able to reference just some), the AAA group server feature was added.

 

NON-vrf aware configuration still requires the key to be configured globally, so you would configure the AAA server both globally to define the key, and at the AAA group level to specify which of the globally defined servers you're using:

 

 

aaa new-model

!

tacacs-server host 5.5.5.5 key ciscotacacs

tacacs-server host 6.6.6.6 key ciscotacacs

radius-server host 3.3.3.3 key ciscoradius

radius-server host 4.4.4.4 key ciscoradius

!

aaa group server radius ALL_RADIUS

 server 3.3.3.3

aaa group server tacacs+ ALL_TACACS

 server 5.5.5.5

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

If you want VRF-aware AAA, one of the reasons for which AAA grouping was allowed, you configure everything under the AAA group, you no longer need servers to be the globally defined, you can specify the key at the group level:

 

aaa new-model

!

aaa group server radius ALL_RADIUS

 server-private 3.3.3.3 key ciscoradius

 server-private 4.4.4.4 key ciscoradius

 ip vrf forwarding AAA

aaa group server tacacs+ ALL_TACACS

 server-private 5.5.5.5 key ciscotacacs

 server-private 6.6.6.6 key ciscotacacs

 ip vrf forwarding AAA

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

  3. Finally, what you should be using today, which gives you total control and scalability over your AAA configuration is to define each of your AAA server independently, reference which server(s) you need into which AAA server groups, and reference the AAA server groups in your authentication/authorization/accounting commands:

 

radius server FIRST_RADIUS

 address ipv4 7.7.7.7 

 key ciscoradius

!

radius server SECOND_RADIUS

 address ipv4 8.8.8.8 

 key ciscoradius

!

!

tacacs server FIRST_TACACS

 address ipv4 9.9.9.9 

 key ciscotacacs

!

radius server SECOND_TACACS

 address ipv4 10.10.10.10 

 key ciscotacacs

!

aaa group server radius ALL_RADIUS

 server name FIRST_RADIUS

 server name SECOND_RADIUS

!

aaa group server radius ALL_TACACS

 server name FIRST_TACACS

 server name SECOND_TACACS

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

Regards,

Cristian Matei.

 

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Cristian Matei

‎03-18-2020 12:46 PM

Awesome. So basically if I only have 1 AAA server, I don't have to create an actual group I can just use the
"aaa authentication login default group radius local" command correct?
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to CiscoBrownBelt

‎03-18-2020 01:27 PM

Hi,

   

     Yes, you can, that would be option number one. However, those commands are legacy, will be remove soon, and on newer IOS'es you get a similar warning about it. This also means that if you hit a bug, you'll be told to update your AAA configuration which will possibly fix the issue. I would recommend option 3, even if it's a single RADIUS server, but option 1 should still work at the same time, with stated drawbacks.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents