08-29-2012 02:26 PM - edited 03-07-2019 08:36 AM
Hi Everyone,
Need to know which Line in aaa config is using Tacacs to login to the router.
here is aaa config
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+ none
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa accounting network default
action-type start-stop
group tacacs+
!
aaa accounting connection default
action-type start-stop
group tacacs+
!
aaa accounting system default
action-type start-stop
group tacacs+
!
!
!
aaa session-id common
clock timezone MNT -7
line vty 0 4
exec-timeout 15 0
transport input telnet ssh
Currently when i telnet to router it uses tacacs need to know which line in aaa config uses tacacs config?
Thanks
Mahesh
Solved! Go to Solution.
08-29-2012 02:57 PM
you have several aaa-commands that change the default-behaviour of the router:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+ none
With these commands, your lines use this new aaa-config without an explicit reconfig of the line.
If you want to change to local authentication, then you can change it by using the same commands without the "group tacacs" or even better, start by removing all aaa-commands and only configure what you really need.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-29-2012 06:46 PM
hi mahesh,
this line tells you how to login to your device:
aaa authentication login default group tacacs+ enable
the 'default' keyword applies to all lines, i.e. console, VTY, aux and with the 'enable' keyword specifies to use the enable password as a fallback method.
08-29-2012 02:57 PM
you have several aaa-commands that change the default-behaviour of the router:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+ none
With these commands, your lines use this new aaa-config without an explicit reconfig of the line.
If you want to change to local authentication, then you can change it by using the same commands without the "group tacacs" or even better, start by removing all aaa-commands and only configure what you really need.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-08-2012 03:42 AM
Hi,
Please explain me how I can grant only several command into configuration mode with TACACS+?
I found example of tac_plus.conf file where I can grant "configuration terminal", but it is hard to find how to grant only "access-list" command but no "ip route".
08-29-2012 06:46 PM
hi mahesh,
this line tells you how to login to your device:
aaa authentication login default group tacacs+ enable
the 'default' keyword applies to all lines, i.e. console, VTY, aux and with the 'enable' keyword specifies to use the enable password as a fallback method.
09-09-2012 10:21 AM
Hi,
Many thanks for reply.
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide