TACACS+/aaa Questions

Unanswered Question
May 30th, 2008
User Badges:
  • Blue, 1500 points or more

Below is a TACACS config on a router in a client's network:


aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated none


A few things...


1.) I dont see any aaa accounting commands, so I am wondering if accounting is not being leveraged, or if there is another way of providing command accounting without explicitly configuring it on the device.


2.) I know that to log onto the device, they use an RSA Token. Correct me if Im wrong, but enabling RSA ID tokens for authentication through ACS is done at the ACS server itself. In other words, the RSA funtionality will not be reflected in the device's aaa configs, but instead in the application's configuration...correct?


Lastly, I see the following globally enabled configs on the router:


privilege exec level 0 dir

privilege exec level 0 write terminal

privilege exec level 0 write

privilege exec level 0 traceroute ip

privilege exec level 0 traceroute

privilege exec level 0 ping ip

privilege exec level 0 ping

privilege exec level 0 terminal monitor

privilege exec level 0 terminal

privilege exec level 0 show crypto sockets

privilege exec level 0 show crypto isakmp profile

privilege exec level 0 show crypto isakmp key

privilege exec level 0 show crypto isakmp policy

privilege exec level 0 show crypto isakmp sa

privilege exec level 0 show crypto isakmp

privilege exec level 0 show crypto ipsec security-association-lifetime

privilege exec level 0 show crypto ipsec security-association


I'm not sure how this figures into the aaa config. Why would these authorization commands be configured locally on the router when aaa authorization is already being leveraged centrally on the ACS server (aaa authorization commands in the config)?


Can anyone provide some good insight into this?


Thank you very much in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 05/30/2008 - 04:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


You posted this same question in the LAN Switching and Routing forum where I have posted an answer. I suggest that any further discussion be consolidated in the LAN forum.


HTH


Rick

lamav Fri, 05/30/2008 - 04:30
User Badges:
  • Blue, 1500 points or more

Youre right, Rick.


I only posted it here because it seemed isolated enough from the other forums LAN/WAN routing/switching threads....didnt know a specialized forum for AAA existed when I posted on the LAN thread.


Everyone:


If you would like to offer some expertise regarding this matter, kindly go to the following link:


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0be54


Thank you


Victor

Jagdeep Gambhir Fri, 05/30/2008 - 11:44
User Badges:
  • Red, 2250 points or more

Hi,

If you are using command authorization then privilage doesn't matter.


Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.


Note : Having priv 15 does not mean that user will able to issue all commands.


We will set up command authorization on acs to have control on users.


This is how your config should look,


aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



Check out this link

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml




Regards,

~JG


Actions

This Discussion