05-30-2008 02:40 AM - edited 03-10-2019 03:52 PM
Below is a TACACS config on a router in a client's network:
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated none
A few things...
1.) I dont see any aaa accounting commands, so I am wondering if accounting is not being leveraged, or if there is another way of providing command accounting without explicitly configuring it on the device.
2.) I know that to log onto the device, they use an RSA Token. Correct me if Im wrong, but enabling RSA ID tokens for authentication through ACS is done at the ACS server itself. In other words, the RSA funtionality will not be reflected in the device's aaa configs, but instead in the application's configuration...correct?
Lastly, I see the following globally enabled configs on the router:
privilege exec level 0 dir
privilege exec level 0 write terminal
privilege exec level 0 write
privilege exec level 0 traceroute ip
privilege exec level 0 traceroute
privilege exec level 0 ping ip
privilege exec level 0 ping
privilege exec level 0 terminal monitor
privilege exec level 0 terminal
privilege exec level 0 show crypto sockets
privilege exec level 0 show crypto isakmp profile
privilege exec level 0 show crypto isakmp key
privilege exec level 0 show crypto isakmp policy
privilege exec level 0 show crypto isakmp sa
privilege exec level 0 show crypto isakmp
privilege exec level 0 show crypto ipsec security-association-lifetime
privilege exec level 0 show crypto ipsec security-association
I'm not sure how this figures into the aaa config. Why would these authorization commands be configured locally on the router when aaa authorization is already being leveraged centrally on the ACS server (aaa authorization commands in the config)?
Can anyone provide some good insight into this?
Thank you very much in advance
05-30-2008 04:13 AM
Victor
You posted this same question in the LAN Switching and Routing forum where I have posted an answer. I suggest that any further discussion be consolidated in the LAN forum.
HTH
Rick
05-30-2008 04:30 AM
Youre right, Rick.
I only posted it here because it seemed isolated enough from the other forums LAN/WAN routing/switching threads....didnt know a specialized forum for AAA existed when I posted on the LAN thread.
Everyone:
If you would like to offer some expertise regarding this matter, kindly go to the following link:
Thank you
Victor
05-30-2008 11:44 AM
Hi,
If you are using command authorization then privilage doesn't matter.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Check out this link
Regards,
~JG
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: