cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
445
Views
0
Helpful
3
Replies

TACACS+/aaa Questions

lamav
Level 8
Level 8

Below is a TACACS config on a router in a client's network:

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated none

A few things...

1.) I dont see any aaa accounting commands, so I am wondering if accounting is not being leveraged, or if there is another way of providing command accounting without explicitly configuring it on the device.

2.) I know that to log onto the device, they use an RSA Token. Correct me if Im wrong, but enabling RSA ID tokens for authentication through ACS is done at the ACS server itself. In other words, the RSA funtionality will not be reflected in the device's aaa configs, but instead in the application's configuration...correct?

Lastly, I see the following globally enabled configs on the router:

privilege exec level 0 dir

privilege exec level 0 write terminal

privilege exec level 0 write

privilege exec level 0 traceroute ip

privilege exec level 0 traceroute

privilege exec level 0 ping ip

privilege exec level 0 ping

privilege exec level 0 terminal monitor

privilege exec level 0 terminal

privilege exec level 0 show crypto sockets

privilege exec level 0 show crypto isakmp profile

privilege exec level 0 show crypto isakmp key

privilege exec level 0 show crypto isakmp policy

privilege exec level 0 show crypto isakmp sa

privilege exec level 0 show crypto isakmp

privilege exec level 0 show crypto ipsec security-association-lifetime

privilege exec level 0 show crypto ipsec security-association

I'm not sure how this figures into the aaa config. Why would these authorization commands be configured locally on the router when aaa authorization is already being leveraged centrally on the ACS server (aaa authorization commands in the config)?

Can anyone provide some good insight into this?

Thank you very much in advance

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Victor

You posted this same question in the LAN Switching and Routing forum where I have posted an answer. I suggest that any further discussion be consolidated in the LAN forum.

HTH

Rick

HTH

Rick

Youre right, Rick.

I only posted it here because it seemed isolated enough from the other forums LAN/WAN routing/switching threads....didnt know a specialized forum for AAA existed when I posted on the LAN thread.

Everyone:

If you would like to offer some expertise regarding this matter, kindly go to the following link:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0be54

Thank you

Victor

Hi,

If you are using command authorization then privilage doesn't matter.

Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.

Note : Having priv 15 does not mean that user will able to issue all commands.

We will set up command authorization on acs to have control on users.

This is how your config should look,

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Check out this link

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: