cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
940
Views
0
Helpful
5
Replies

AAA config simulation

gdwingnuts
Level 1
Level 1

We have a Cisco 4948 and we would like to enter all of the AAA commands necessary to satisfy our security scans without entering our TACACS server yet.  In other words if the TACACS or Radius server is not defined in the comand line on the switch will having the AAA commands entered create any operational or login problems?  Our TACACS will be difined down the road during deployment.

Thanks,

Charlie

1 Accepted Solution

Accepted Solutions

Charlie

I was assuming that you needed to put in the real AAA commands that you would use. But it now sounds like it would work for you if you just put in some bogus AAA commands. For example you would usually use the default methods for authentication and authorization which might look like this:

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

But you could configure authentication and authorization for a named method like this

aaa authentication login temp_authen group tacacs+ line

aaa authorization exec temp_author group tacacs+ if-authenticated

With this the scan would see AAA authentication and authorization and be happy. And since the named methods are never applied anywhere it would have absolutely no operational impact on your routers and switches.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Charlie

Depending on how you have your AAA configured and especially depending on how well you have configured fall back methods to use when the TACACS server is not available it is quite possible that there would be operational or login impacts if you put all of your AAA config in except for the configuration of the server. If you have configured the 4948 to authenticate via TACACS and it can not do so then it will look for whatever alternate/fall back method you have configured and only if that works will you be able to login. And if you have configured the 4948 to authorize via TACACS it will attempt to authorize and if TACACS does not respond it will depend on whatever alternate/fall back method you have configured.

And I am wondering if there are scans that are smart enough to check for the presence of AAA commands are they also smart enough to check for valid configuration of a server?

HTH

Rick

HTH

Rick

Funny you should ask about how smart the scans are.  The scan looks for certain config settings and the TACACS or Radius configuration is not one of them.  In this case, we have to put the cart before the horse by satisfying all security settings even though it is in predeployment.  Can you point me to a link where generic AAA settings are displayed?  We have determined the scan does not care about aaa functionality only that it sees aaa commands.

Thanks again,

Charlie

Charlie

I was assuming that you needed to put in the real AAA commands that you would use. But it now sounds like it would work for you if you just put in some bogus AAA commands. For example you would usually use the default methods for authentication and authorization which might look like this:

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

But you could configure authentication and authorization for a named method like this

aaa authentication login temp_authen group tacacs+ line

aaa authorization exec temp_author group tacacs+ if-authenticated

With this the scan would see AAA authentication and authorization and be happy. And since the named methods are never applied anywhere it would have absolutely no operational impact on your routers and switches.

HTH

Rick

HTH

Rick

Thanks Rick!

Charlie

Charlie

I am glad that my suggestions were helpful. Thank you for marking the question as resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will also see suggestions which did resolve the question.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco