cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

aaa authentication login default group radius local command?

CiscoPurpleBelt
Frequent Contributor
Frequent Contributor

 

Just trying to confirm some things with the below command. Are the group names configured on your actual ACS or Radius server that you are using? If you only have one default group in there or 1 group that is when you can just specify Radius below correct? 

 

 
aaa authentication login default group radius local

 

1 ACCEPTED SOLUTION

Accepted Solutions

Cristian Matei
Collaborator
Collaborator

Hi,

 

    The AAA server name convention is locally significant, it doesn't need to match between the NAD and the NAS. What you're seeing on the CLI, referencing an AAA server in your AAA commands by the keyword of "radius"/"tacacs" or by the AAA server group name, like a group named MY_RADIUS_SERVERS, has to do with the AAA architecture evolution on the IOS side. Historically speaking:

         1. Initially, long time ago, you would define your AAA servers globally, via radius/tacacs specific command configuration, and in order to reference these in your authentication,authorizatio,accounting commands, you would use the radius/tacacs keyword in order to point to the globally defined servers. For example:

 

aaa new-model

!

radius-server host 1.1.1.1 key ciscoradius

tacacs-server host 2.2.2.2 key ciscotacacs

!

aaa authentication login default group tacacs+ local

aaa authorization network default group radius 

aaa session-id common

 

     2. Afterwards, in order to allow VRF-aware AAA and make the AAA architecture more scalable (for example allow to group your AAA servers, instead of globally configuring all of them and not being able to reference just some), the AAA group server feature was added.

 

NON-vrf aware configuration still requires the key to be configured globally, so you would configure the AAA server both globally to define the key, and at the AAA group level to specify which of the globally defined servers you're using:

 

 

aaa new-model

!

tacacs-server host 5.5.5.5 key ciscotacacs

tacacs-server host 6.6.6.6 key ciscotacacs

radius-server host 3.3.3.3 key ciscoradius

radius-server host 4.4.4.4 key ciscoradius

!

aaa group server radius ALL_RADIUS

 server 3.3.3.3

aaa group server tacacs+ ALL_TACACS

 server 5.5.5.5

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

If you want VRF-aware AAA, one of the reasons for which AAA grouping was allowed, you configure everything under the AAA group, you no longer need servers to be the globally defined, you can specify the key at the group level:

 

aaa new-model

!

aaa group server radius ALL_RADIUS

 server-private 3.3.3.3 key ciscoradius

 server-private 4.4.4.4 key ciscoradius

 ip vrf forwarding AAA

aaa group server tacacs+ ALL_TACACS

 server-private 5.5.5.5 key ciscotacacs

 server-private 6.6.6.6 key ciscotacacs

 ip vrf forwarding AAA

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

  3. Finally, what you should be using today, which gives you total control and scalability over your AAA configuration is to define each of your AAA server independently, reference which server(s) you need into which AAA server groups, and reference the AAA server groups in your authentication/authorization/accounting commands:

 

radius server FIRST_RADIUS

 address ipv4 7.7.7.7 

 key ciscoradius

!

radius server SECOND_RADIUS

 address ipv4 8.8.8.8 

 key ciscoradius

!

!

tacacs server FIRST_TACACS

 address ipv4 9.9.9.9 

 key ciscotacacs

!

radius server SECOND_TACACS

 address ipv4 10.10.10.10 

 key ciscotacacs

!

aaa group server radius ALL_RADIUS

 server name FIRST_RADIUS

 server name SECOND_RADIUS

!

aaa group server radius ALL_TACACS

 server name FIRST_TACACS

 server name SECOND_TACACS

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

Regards,

Cristian Matei.

 

View solution in original post

5 REPLIES 5

balaji.bandi
VIP Guru VIP Guru
VIP Guru

as per my understand you are kind of correct. (since we dont know full configuraiton hard to say the outcome)

 

instead i suggest some reference :

 

https://community.cisco.com/t5/security-documents/aaa-sample-config/ta-p/3143393

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

I do not fully understand the question, especially this part

"If you only have one default group in there or 1 group that is when you can just specify Radius below correct?" 

but the other part of the question is more clear

"Are the group names configured on your actual ACS or Radius server that you are using?"

and the answer is that the group names used in the device configuration do not need to match anything in the ACS or Radius server.

HTH

Rick

Cristian Matei
Collaborator
Collaborator

Hi,

 

    The AAA server name convention is locally significant, it doesn't need to match between the NAD and the NAS. What you're seeing on the CLI, referencing an AAA server in your AAA commands by the keyword of "radius"/"tacacs" or by the AAA server group name, like a group named MY_RADIUS_SERVERS, has to do with the AAA architecture evolution on the IOS side. Historically speaking:

         1. Initially, long time ago, you would define your AAA servers globally, via radius/tacacs specific command configuration, and in order to reference these in your authentication,authorizatio,accounting commands, you would use the radius/tacacs keyword in order to point to the globally defined servers. For example:

 

aaa new-model

!

radius-server host 1.1.1.1 key ciscoradius

tacacs-server host 2.2.2.2 key ciscotacacs

!

aaa authentication login default group tacacs+ local

aaa authorization network default group radius 

aaa session-id common

 

     2. Afterwards, in order to allow VRF-aware AAA and make the AAA architecture more scalable (for example allow to group your AAA servers, instead of globally configuring all of them and not being able to reference just some), the AAA group server feature was added.

 

NON-vrf aware configuration still requires the key to be configured globally, so you would configure the AAA server both globally to define the key, and at the AAA group level to specify which of the globally defined servers you're using:

 

 

aaa new-model

!

tacacs-server host 5.5.5.5 key ciscotacacs

tacacs-server host 6.6.6.6 key ciscotacacs

radius-server host 3.3.3.3 key ciscoradius

radius-server host 4.4.4.4 key ciscoradius

!

aaa group server radius ALL_RADIUS

 server 3.3.3.3

aaa group server tacacs+ ALL_TACACS

 server 5.5.5.5

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

If you want VRF-aware AAA, one of the reasons for which AAA grouping was allowed, you configure everything under the AAA group, you no longer need servers to be the globally defined, you can specify the key at the group level:

 

aaa new-model

!

aaa group server radius ALL_RADIUS

 server-private 3.3.3.3 key ciscoradius

 server-private 4.4.4.4 key ciscoradius

 ip vrf forwarding AAA

aaa group server tacacs+ ALL_TACACS

 server-private 5.5.5.5 key ciscotacacs

 server-private 6.6.6.6 key ciscotacacs

 ip vrf forwarding AAA

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

  3. Finally, what you should be using today, which gives you total control and scalability over your AAA configuration is to define each of your AAA server independently, reference which server(s) you need into which AAA server groups, and reference the AAA server groups in your authentication/authorization/accounting commands:

 

radius server FIRST_RADIUS

 address ipv4 7.7.7.7 

 key ciscoradius

!

radius server SECOND_RADIUS

 address ipv4 8.8.8.8 

 key ciscoradius

!

!

tacacs server FIRST_TACACS

 address ipv4 9.9.9.9 

 key ciscotacacs

!

radius server SECOND_TACACS

 address ipv4 10.10.10.10 

 key ciscotacacs

!

aaa group server radius ALL_RADIUS

 server name FIRST_RADIUS

 server name SECOND_RADIUS

!

aaa group server radius ALL_TACACS

 server name FIRST_TACACS

 server name SECOND_TACACS

!

aaa authentication login default group ALL_TACACS local

aaa authorization network default group ALL_RADIUS 

 

Regards,

Cristian Matei.

 

Awesome. So basically if I only have 1 AAA server, I don't have to create an actual group I can just use the
"aaa authentication login default group radius local" command correct?

Hi,

   

     Yes, you can, that would be option number one. However, those commands are legacy, will be remove soon, and on newer IOS'es you get a similar warning about it. This also means that if you hit a bug, you'll be told to update your AAA configuration which will possibly fix the issue. I would recommend option 3, even if it's a single RADIUS server, but option 1 should still work at the same time, with stated drawbacks.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: