02-10-2009 02:54 AM - edited 03-06-2019 03:57 AM
Hi all, can anyone tell me, can a routers itself provide any aaa functionality? ie logging etc like the acs?
can anyone tell me how to simply add my router to an acs server for all aaa services, as well as allowing a local user and fallback user, a simple config would be great.
cheers
Carl
02-10-2009 08:44 AM
This should do the trick, assuming your acs is TACACS and it is configured properly.
1)Add the device into TACACS so it knows the device is out there.
2) Add this to the router
aaa new-model
aaa authentication login vtymethod group tacacs+ local line
aaa authentication login conmethod group tacacs+ local line
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 10.0.0.x
tacacs-server host 10.0.0.x
tacacs-server key type_key_here
02-10-2009 08:56 AM
Hi there, could you possibly explain what each command means ?
02-10-2009 11:44 AM
aaa new-model (starts your aaa model congiguration)
aaa authentication login vtymethod group tacacs+ local line (tells your router that when someone tries to login via a vty line (telnet, ssh) to first look to tacacs, then to a local group. So if the tacacs is unreachable for someone, you can authenticate as a local user)
aaa authentication login conmethod group tacacs+ local line (same thing for console)
aaa authentication enable default group tacacs+ enable (this line says, if someone authenticates via tacacs, send them straight to the priv exec mode. This is optional, but takes the hassle out of typing enable all the time)
aaa authorization config-commands (gives authorization to the users that successfully authenticate)
aaa authorization exec default group tacacs+ local (authorizes the above command sending tacacs users straight to priv mode)
aaa authorization commands 15 default group tacacs+ local (gives authenticated users authorization to use level 15 commands)
aaa accounting exec default start-stop group tacacs+ (for logging on tacacs)
aaa accounting commands 15 default start-stop group tacacs+ (for logging on tacacs)
tacacs-server host 10.0.0.x (tells router where the tacacs server is)
tacacs-server host 10.0.0.x (alternate tacacs server, optional)
tacacs-server key type_key_here (tacacs key so the router is authorized to use tacacs)
Obviously, depending on what you are doing, some variation can go into these commands. There are tons of aaa commands that can do about anything you was. The example I gave is with one tacacs group, all having priv access. But there are commands for multiple groups with different access and much tweaking. Good luck!
HTH
Justin
02-10-2009 11:45 AM
anything you WANT, not was
02-12-2009 08:35 AM
hi there, where do you control access to what the users can do, would this be on the acs server? can you do it also localy on the router by priveldge levels ?
02-12-2009 10:34 AM
Hi Carl,
If it is a AAA user, the privelege levels must be set thru the AAA interface, either by individual or group settings. If you are using local users, you can do this when you create the user:
router(config)#username (name) privilege (0-15) secret (secret_password)
When you set the privilege level, this will give the user access to the commands that correspond to that priv level.
hth,
Justin
03-26-2009 07:35 AM
Hi there
Can anyone tell me which screens I need to go in on the acs server to create the priviledge levels for each user?
thanks
09-24-2020 07:38 AM
What of “ authorisation exec default local”
“authorisation exec vtymethod group tacacs + local” and “authorisation commands 15 vtymethod group tacacs + local” thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide