06-22-2007 07:46 AM - edited 03-10-2019 03:14 PM
Hi Everyone,
I have the below working config for TACACS+ authentication and accounting for IOS based devices. Would anybody be able to give me a CATOS version for the config?
Many thanks,
Dan
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
enable password cisco
!
username Manager password 0 cisco
tacacs-server host 10.1.1.1
tacacs-server key cisco
06-22-2007 07:53 AM
Hi,
First make sure that your CatOS version supports fallback, because few earlier versions were not able to do so,
Anyhow, here you go,
/----------------------------------/
!--- Define localuser to prevent ourself from being lockedout
!--- For backdoor purpose
set localuser user
!--- Specify the TACACS server ip address,i.e., ACS ip address
set tacacs server
set tacacs key
set tacacs timeout 30
!--- For backdoor purspose, specify authentication for
!--- login and enable via local database.
set authentication login local enable all
!--- Specifying authentication for login & enable via TACACS
set authentication login tacacs enable telnet primary
set authorization exec enable tacacs+ none telnet
!--- Specifying accouting for exec level
set accounting exec enable start-stop tacacs+
!--- Specifying accounting for users telnetting out of the switch
set accounting connect enable start-stop tacacs+
!--- Accounts for system level changes over switch
set accounting system enable start-stop tacacs+
!--- For accounting events performed by users,i.e.,commands being issued
set accounting commands enable all start-stop tacacs+
/----------------------------------/
For 8.6:
Configuring the Switch Access Using AAA:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_6/confg_gd/authent.htm
Regards,
Prem
06-22-2007 07:59 AM
Hi,
Do not put exec authorization, you do not have that in IOS config,
!--- Specifying authentication for login & enable via TACACS
set authentication login tacacs enable telnet primary
set authorization exec enable tacacs+ none telnet
Instead, use this,
!--- Specifying authentication for enable
set authentication enable tacacs enable telnet
As you have "aaa authentication enable default group tacacs+ enable"
Regards,
Prem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: