cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2176
Views
0
Helpful
4
Replies

Tacacs config in AAA

mahesh18
Level 6
Level 6

                   Hi Everyone,

Need to know which Line in aaa config is using Tacacs  to login to the router.

here is aaa config

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group tacacs+ none

aaa accounting exec default

action-type start-stop

group tacacs+

!

aaa accounting commands 15 default

action-type start-stop

group tacacs+

!

aaa accounting network default

action-type start-stop

  group tacacs+

!

aaa accounting connection default

action-type start-stop

group tacacs+

!

aaa accounting system default

action-type start-stop

group tacacs+

!

!

!

aaa session-id common

clock timezone MNT -7

line vty 0 4

exec-timeout 15 0

transport input telnet ssh

Currently when i telnet to router it uses  tacacs  need to know which line in aaa config uses tacacs config?

Thanks

Mahesh

2 Accepted Solutions

Accepted Solutions

you have several aaa-commands that change the default-behaviour of the router:

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group tacacs+ none

With these commands, your lines use this new aaa-config without an explicit reconfig of the line.

If you want to change to local authentication, then you can change it by using the same commands without the "group tacacs" or even better, start by removing all aaa-commands and only configure what you really need.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

johnlloyd_13
Level 9
Level 9

hi mahesh,

this line tells you how to login to your device:

aaa authentication login default group tacacs+ enable

the 'default' keyword applies to all lines, i.e. console, VTY, aux and with the 'enable' keyword specifies to use the enable password as a fallback method.

View solution in original post

4 Replies 4

you have several aaa-commands that change the default-behaviour of the router:

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group tacacs+ none

With these commands, your lines use this new aaa-config without an explicit reconfig of the line.

If you want to change to local authentication, then you can change it by using the same commands without the "group tacacs" or even better, start by removing all aaa-commands and only configure what you really need.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi,

Please explain me how I can grant only several command into configuration mode with TACACS+?

I found example of tac_plus.conf file where I can grant "configuration terminal", but it is hard to find how to grant only "access-list" command but no "ip route".

johnlloyd_13
Level 9
Level 9

hi mahesh,

this line tells you how to login to your device:

aaa authentication login default group tacacs+ enable

the 'default' keyword applies to all lines, i.e. console, VTY, aux and with the 'enable' keyword specifies to use the enable password as a fallback method.

Hi,

Many thanks for reply.

MAhesh

Review Cisco Networking for a $25 gift card