I am new to Cisco ACS server for windows.I am testing it on Cisco 1700 series router.
I have created two users in ACS having different shell command authorization sets. And i have created one local user in Router.I am successfully able to login on router with both ACS users through telnet & Console.
But i am stucking with some requirements which i need to test.
1). When my ACS is running,I should use only my ACS users for logging in the device,whether throgh telnet or console.
2). If my ACS is down, then I should be able to logged in the device through the local user created in it.This way device will not locked down due to the absense of AAA.
I have almost achieved my first requirement.But I am stucking in my II requirement. Require your help please.
Router configuration enclosed!!
Command accounting is listed under tacacs administration report and not in tac accounting.
If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.
Do rate helpful posts
Here you go,
aaa authentication login default group tacacs local
It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.
aaa authentication enable default group tacacs enable
Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router
aaa authorization console
This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.
aaa authorization config-commands
Enabled command authoriztion for global config mode
aaa authorization exec default group tacacs if-authenticated
This enabled authorization for telnet (exec) sessions
aaa authorization commands 1 default group tacacs+ if-authenticated
Enabled command authorization for level 1 command
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Accounting commands are self explanatory.
Using 'none' versus 'if-authenticated' as backup method for authorization-
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.
Do rate helpful posts