aaa services

Unanswered Question
Feb 10th, 2009

Hi all, can anyone tell me, can a routers itself provide any aaa functionality? ie logging etc like the acs?

can anyone tell me how to simply add my router to an acs server for all aaa services, as well as allowing a local user and fallback user, a simple config would be great.

cheers

Carl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
justbailey Tue, 02/10/2009 - 08:44

This should do the trick, assuming your acs is TACACS and it is configured properly.

1)Add the device into TACACS so it knows the device is out there.

2) Add this to the router

aaa new-model

aaa authentication login vtymethod group tacacs+ local line

aaa authentication login conmethod group tacacs+ local line

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.0.0.x

tacacs-server host 10.0.0.x

tacacs-server key type_key_here

justbailey Tue, 02/10/2009 - 11:44

aaa new-model (starts your aaa model congiguration)

aaa authentication login vtymethod group tacacs+ local line (tells your router that when someone tries to login via a vty line (telnet, ssh) to first look to tacacs, then to a local group. So if the tacacs is unreachable for someone, you can authenticate as a local user)

aaa authentication login conmethod group tacacs+ local line (same thing for console)

aaa authentication enable default group tacacs+ enable (this line says, if someone authenticates via tacacs, send them straight to the priv exec mode. This is optional, but takes the hassle out of typing enable all the time)

aaa authorization config-commands (gives authorization to the users that successfully authenticate)

aaa authorization exec default group tacacs+ local (authorizes the above command sending tacacs users straight to priv mode)

aaa authorization commands 15 default group tacacs+ local (gives authenticated users authorization to use level 15 commands)

aaa accounting exec default start-stop group tacacs+ (for logging on tacacs)

aaa accounting commands 15 default start-stop group tacacs+ (for logging on tacacs)

tacacs-server host 10.0.0.x (tells router where the tacacs server is)

tacacs-server host 10.0.0.x (alternate tacacs server, optional)

tacacs-server key type_key_here (tacacs key so the router is authorized to use tacacs)

Obviously, depending on what you are doing, some variation can go into these commands. There are tons of aaa commands that can do about anything you was. The example I gave is with one tacacs group, all having priv access. But there are commands for multiple groups with different access and much tweaking. Good luck!

HTH

Justin

carl_townshend Thu, 02/12/2009 - 08:35

hi there, where do you control access to what the users can do, would this be on the acs server? can you do it also localy on the router by priveldge levels ?

justbailey Thu, 02/12/2009 - 10:34

Hi Carl,

If it is a AAA user, the privelege levels must be set thru the AAA interface, either by individual or group settings. If you are using local users, you can do this when you create the user:

router(config)#username (name) privilege (0-15) secret (secret_password)

When you set the privilege level, this will give the user access to the commands that correspond to that priv level.

hth,

Justin

carl_townshend Thu, 03/26/2009 - 07:35

Hi there

Can anyone tell me which screens I need to go in on the acs server to create the priviledge levels for each user?

thanks

Actions

This Discussion