Solved: Need Advice on AAA Config For a Remote Router/Site

WildMan365 · ‎02-20-2018

My company has a multisite enviorment with all remote sites connecting to an MPLS cloud via point to point circuits. Each remote site can only connect to the internet through our HQ datacenter via BGP & none of the remote sites has direct access to the internet.

One of our remote sites is relocating & moving into an office with a new circuit/router & although the router & circuit configuration is pretty straight forward I was told that I should avoid configuring tacacs+ settings until after the circuit is live & I know that I can SSH into the router because I might have issues logging into the router. This was kinda a buzz kill to me because I currently have the router on my desk connected via a private IP directly connecting to our switch. I can currently SSH into the router using the local username & password no problem at all even though aaa is properly configured because my router cant access the tacacs server the way its configured & its defaulting to local.

My idea is that I ship the router to the new site the way its configured below & once the circuit is turned up I should just be able to log in to the router with my tacacs creds & everything is all well and good. The only reason why I question this is because I've never configured AAA on a remote router & I remember hearing the same kind of warning from different people in the past regarding an install like this.

What are some opinions on this situation from people with experience? An office manager at the new site will power up the router & connect it to the circuit. I will not have the luxury of having a tech onsite with a laptop & console cable. Here is my config...

chisalesr2#sh run
Building configuration...

Current configuration : 4673 bytes
!
version 15.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
service counters max age 5
!
hostname chisalesr2
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.152-3.T.bin
boot-end-marker
!
!
logging buffered 16384 informational
logging console critical
enable secret 5 $1$3nnl$ZpcI/ikt4pouXKnTTi74Q/
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
!
no ipv6 cef
!
!
!
ip dhcp excluded-address 10.222.137.1 10.222.137.30
ip dhcp excluded-address 10.223.137.1 10.223.137.30
!
ip dhcp pool DHCP_Address_LAN_Pool_New
network 10.222.137.0 255.255.255.0
dns-server 198.160.201.1 192.168.150.51
netbios-name-server 198.160.201.1 192.168.150.51
domain-name arifleet.com
default-router 10.222.137.1
lease 30
!
ip dhcp pool DHCP_Address_VoIP_Pool
network 10.223.137.0 255.255.255.0
dns-server 198.160.201.1 192.168.150.51
default-router 10.223.137.1
!
!
no ip domain lookup
ip domain name arifleet.com
ip cef
multilink bundle-name authenticated
!
password encryption aes
!
!
license udi pid CISCO1941/K9 sn FTX161180EN
!
!
username administrator privilege 15 secret 5 $1$hP1C$5bae2E1S.N8Xj5eBYiv1e.
!
!
ip ssh time-out 20
ip ssh version 2
!
class-map match-any Voice
match dscp ef
match ip precedence 5
match protocol rtp
match access-group 20
!
policy-map CL-VOICE_AND_DATA
class Voice
priority percent 80
set ip precedence 5
class class-default
fair-queue
random-detect
set ip precedence 0
queue-limit 256 packets
!
!
!
!
!
interface Loopback0
ip address 10.220.0.49 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description chisalessw1 p28
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.15
description VLAN 15 Data
encapsulation dot1Q 15
ip address 10.222.137.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description VLAN 20 Voice
encapsulation dot1Q 20
ip address 10.223.137.1 255.255.255.0
!
interface GigabitEthernet0/1
ip address 10.222.58.6 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!

router bgp 65137
network 10.220.0.49 mask 255.255.255.255
network 10.222.137.1 mask 255.255.255.0
network 10.223.137.1 mask 255.255.255.0
neighbor 10.222.58.5 remote-as 123

!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip tacacs source-interface Loopback0
!
ip access-list standard RemoteUsers
permit 198.160.203.154
permit 10.220.112.109
remark hosts that have access to manage devices remotely
permit 198.160.201.99
permit 192.168.210.96
permit 192.168.210.91
permit 192.168.210.95
permit 192.168.116.224 0.0.0.31
permit 10.222.58.240 0.0.0.15
!
logging facility local4
logging source-interface Loopback0
logging 192.168.201.23
logging 198.160.203.154
logging 192.168.152.36
access-list 20 permit 10.223.137.0 0.0.0.255
access-list 50 permit 198.160.203.154
access-list 50 permit 192.168.152.187
access-list 50 permit 10.220.112.109
!
!
snmp-server community 36crackerDD RO 50
snmp-server location Chicago
snmp-server contact IT-DataCommunications@arifleet.com
snmp-server enable traps entity-sensor threshold
tacacs-server host 192.168.210.26 key 7 15260A2F05096F012627273B41534E
tacacs-server host 192.168.210.27 key 7 012707275A28422A2F585C104B514F
tacacs-server directed-request
!
!
!
control-plane
!
!
banner login ^CC UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device.
All activities performed on this device may be logged, and violations
of this policy may result in disciplinary action, and may be reported
to law enforcement. There is no right to privacy on this device. ^C
!
line con 0
exec-timeout 5 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class RemoteUsers in
exec-timeout 20 0
transport input ssh
line vty 5 15
access-class RemoteUsers in
exec-timeout 20 0
transport input ssh
!
scheduler allocate 20000 1000
ntp server 198.160.201.1
!
end

johnlloyd_13 · ‎02-20-2018

hi,

you could alternatively disable AAA and use local VTY and enable passwords to login.

apply AAA once SSH access is verified. this is to ensure remote access should there be a route or connectivity issue with tacacs+ server.

no aaa new-model

line vty 0 15

password cisco

login

View solution in original post

Dennis Mink · ‎02-20-2018

you configured:

aaa authentication login default group tacacs+ local

which means that if the router cant connect to a server in the tacacs group, it will use the local account.

test this by plugging a laptop in back to back and see if your local password works.

once you sent the router to site and you have connectivity from it to tacacs server, these (AD) creds will log you in.

Please remember to rate useful posts, by clicking on the stars below.

WildMan365 · ‎02-20-2018

Thanks Dennis. Do you perceive any potential pitfalls that could lead no access? Also could you explain your testing method “test this by plugging a laptop in back to back and see if your local password works.”

johnlloyd_13 · ‎02-20-2018

hi,