AAA config simulation

Answered Question
Jun 18th, 2010
User Badges:

We have a Cisco 4948 and we would like to enter all of the AAA commands necessary to satisfy our security scans without entering our TACACS server yet.  In other words if the TACACS or Radius server is not defined in the comand line on the switch will having the AAA commands entered create any operational or login problems?  Our TACACS will be difined down the road during deployment.


Thanks,


Charlie

Correct Answer by Richard Burts about 6 years 11 months ago

Charlie


I was assuming that you needed to put in the real AAA commands that you would use. But it now sounds like it would work for you if you just put in some bogus AAA commands. For example you would usually use the default methods for authentication and authorization which might look like this:

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

But you could configure authentication and authorization for a named method like this

aaa authentication login temp_authen group tacacs+ line

aaa authorization exec temp_author group tacacs+ if-authenticated

With this the scan would see AAA authentication and authorization and be happy. And since the named methods are never applied anywhere it would have absolutely no operational impact on your routers and switches.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 06/18/2010 - 14:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Charlie


Depending on how you have your AAA configured and especially depending on how well you have configured fall back methods to use when the TACACS server is not available it is quite possible that there would be operational or login impacts if you put all of your AAA config in except for the configuration of the server. If you have configured the 4948 to authenticate via TACACS and it can not do so then it will look for whatever alternate/fall back method you have configured and only if that works will you be able to login. And if you have configured the 4948 to authorize via TACACS it will attempt to authorize and if TACACS does not respond it will depend on whatever alternate/fall back method you have configured.


And I am wondering if there are scans that are smart enough to check for the presence of AAA commands are they also smart enough to check for valid configuration of a server?


HTH


Rick

gdwingnuts Fri, 06/18/2010 - 15:30
User Badges:

Funny you should ask about how smart the scans are.  The scan looks for certain config settings and the TACACS or Radius configuration is not one of them.  In this case, we have to put the cart before the horse by satisfying all security settings even though it is in predeployment.  Can you point me to a link where generic AAA settings are displayed?  We have determined the scan does not care about aaa functionality only that it sees aaa commands.


Thanks again,


Charlie

Correct Answer
Richard Burts Sun, 06/20/2010 - 14:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Charlie


I was assuming that you needed to put in the real AAA commands that you would use. But it now sounds like it would work for you if you just put in some bogus AAA commands. For example you would usually use the default methods for authentication and authorization which might look like this:

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

But you could configure authentication and authorization for a named method like this

aaa authentication login temp_authen group tacacs+ line

aaa authorization exec temp_author group tacacs+ if-authenticated

With this the scan would see AAA authentication and authorization and be happy. And since the named methods are never applied anywhere it would have absolutely no operational impact on your routers and switches.


HTH


Rick

Richard Burts Mon, 06/21/2010 - 08:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Charlie


I am glad that my suggestions were helpful. Thank you for marking the question as resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will also see suggestions which did resolve the question.


HTH


Rick

Actions

This Discussion