cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3726
Views
5
Helpful
4
Comments
Chetan Kumar Ress
Enthusiast
Enthusiast

Here I would like to share the AAA configuration that cover almost every thing .

i.e. -- TACACS+ Authentication , PPP Authentication , Console Authentication &

If TACACS+ Fail the you can use local authenticaiton to access the network devices.

For Below Create an Default Group associated with Radius server for radius authenticaiton .

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enabl
aaa authentication ppp default group default-group local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 6 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 9 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 11 default group tacacs+ local
aaa authorization commands 12 default group tacacs+ local
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default local group default
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 6 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 8 default start-stop group tacacs+
aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 11 default start-stop group tacacs+
aaa accounting commands 12 default start-stop group tacacs+
aaa accounting commands 13 default start-stop group tacacs+
aaa accounting commands 14 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Regards,

Chetan Kumar

Comments
game123
Beginner
Beginner

I am new to this AAA thing , only used local auth before for stuff , If i put all of the commands in one box, what exactly i achieve ? i do have plans to use cisco windows based ACS 4.2 ?

Why shall i use so many commands ? what is this command authrization thing?

Is it important that if i use authentication option for ACS server i  should also use the authorization portion or it is not mandatory ?????

Chetan Kumar Ress
Enthusiast
Enthusiast

you no need to configure all those command , You can configure only authentication , authorization for pri 15 & accounting for priv 15 .

If you have to big organization & to many network enginner then you can have different priv level sing ACS & AAA.

The only thing that make a difference between RADIUS and TACACS+ is the separation of authetication and authorization. In RADIUS you need only to authenticate the user and zoooooom.

User is now into the network to access EVERYTHING or have the authority autometically to run ALL COMMANDS under the privellage level 15 but if you use TACACS+, this separates the authentication from authorization that provides the option to assign different levels of command execution or access the network resources instead accessing all.

That is why if using ACS that run only Cisco propritary TACACS+ protocol you must configure authorization part of AAA also to manage the different level of authority to the different group of users indulged in different kid of work.

kelly.conley
Beginner
Beginner

Greetings,

I am the process of updating and standardizing our AAA configs. This is a current section:

 

aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec console none
aaa authorization commands 15 default group tacacs+ if-authenticated

 

My question is are "aaa authentication login console none" and "aaa authorization exec console none" doing anything? I remember being told years ago they are there for some obscure login scenario but I cant remember what it is. Taking them out doesn't seem to have any effect. Thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links