CATOS AAA Config

Unanswered Question
Jun 22nd, 2007
User Badges:

Hi Everyone,


I have the below working config for TACACS+ authentication and accounting for IOS based devices. Would anybody be able to give me a CATOS version for the config?


Many thanks,


Dan


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

enable password cisco

!

username Manager password 0 cisco


tacacs-server host 10.1.1.1

tacacs-server key cisco

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Premdeep Banga Fri, 06/22/2007 - 07:53
User Badges:
  • Gold, 750 points or more

Hi,


First make sure that your CatOS version supports fallback, because few earlier versions were not able to do so,


Anyhow, here you go,


/----------------------------------/

!--- Define localuser to prevent ourself from being lockedout

!--- For backdoor purpose

set localuser user password privilege 15


!--- Specify the TACACS server ip address,i.e., ACS ip address

set tacacs server

set tacacs key

set tacacs timeout 30


!--- For backdoor purspose, specify authentication for

!--- login and enable via local database.

set authentication login local enable all


!--- Specifying authentication for login & enable via TACACS

set authentication login tacacs enable telnet primary

set authorization exec enable tacacs+ none telnet


!--- Specifying accouting for exec level

set accounting exec enable start-stop tacacs+

!--- Specifying accounting for users telnetting out of the switch

set accounting connect enable start-stop tacacs+

!--- Accounts for system level changes over switch

set accounting system enable start-stop tacacs+

!--- For accounting events performed by users,i.e.,commands being issued

set accounting commands enable all start-stop tacacs+

/----------------------------------/


For 8.6:


Configuring the Switch Access Using AAA:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_6/confg_gd/authent.htm



Regards,

Prem

Premdeep Banga Fri, 06/22/2007 - 07:59
User Badges:
  • Gold, 750 points or more

Hi,


Do not put exec authorization, you do not have that in IOS config,


!--- Specifying authentication for login & enable via TACACS

set authentication login tacacs enable telnet primary

set authorization exec enable tacacs+ none telnet


Instead, use this,


!--- Specifying authentication for enable

set authentication enable tacacs enable telnet


As you have "aaa authentication enable default group tacacs+ enable"


Regards,

Prem

Actions

This Discussion