06-18-2010 12:54 PM - edited 03-06-2019 11:39 AM
We have a Cisco 4948 and we would like to enter all of the AAA commands necessary to satisfy our security scans without entering our TACACS server yet. In other words if the TACACS or Radius server is not defined in the comand line on the switch will having the AAA commands entered create any operational or login problems? Our TACACS will be difined down the road during deployment.
Thanks,
Charlie
Solved! Go to Solution.
06-20-2010 02:00 PM
Charlie
I was assuming that you needed to put in the real AAA commands that you would use. But it now sounds like it would work for you if you just put in some bogus AAA commands. For example you would usually use the default methods for authentication and authorization which might look like this:
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ if-authenticated
But you could configure authentication and authorization for a named method like this
aaa authentication login temp_authen group tacacs+ line
aaa authorization exec temp_author group tacacs+ if-authenticated
With this the scan would see AAA authentication and authorization and be happy. And since the named methods are never applied anywhere it would have absolutely no operational impact on your routers and switches.
HTH
Rick
06-18-2010 02:04 PM
Charlie
Depending on how you have your AAA configured and especially depending on how well you have configured fall back methods to use when the TACACS server is not available it is quite possible that there would be operational or login impacts if you put all of your AAA config in except for the configuration of the server. If you have configured the 4948 to authenticate via TACACS and it can not do so then it will look for whatever alternate/fall back method you have configured and only if that works will you be able to login. And if you have configured the 4948 to authorize via TACACS it will attempt to authorize and if TACACS does not respond it will depend on whatever alternate/fall back method you have configured.
And I am wondering if there are scans that are smart enough to check for the presence of AAA commands are they also smart enough to check for valid configuration of a server?
HTH
Rick
06-18-2010 03:30 PM
Funny you should ask about how smart the scans are. The scan looks for certain config settings and the TACACS or Radius configuration is not one of them. In this case, we have to put the cart before the horse by satisfying all security settings even though it is in predeployment. Can you point me to a link where generic AAA settings are displayed? We have determined the scan does not care about aaa functionality only that it sees aaa commands.
Thanks again,
Charlie
06-20-2010 02:00 PM
Charlie
I was assuming that you needed to put in the real AAA commands that you would use. But it now sounds like it would work for you if you just put in some bogus AAA commands. For example you would usually use the default methods for authentication and authorization which might look like this:
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ if-authenticated
But you could configure authentication and authorization for a named method like this
aaa authentication login temp_authen group tacacs+ line
aaa authorization exec temp_author group tacacs+ if-authenticated
With this the scan would see AAA authentication and authorization and be happy. And since the named methods are never applied anywhere it would have absolutely no operational impact on your routers and switches.
HTH
Rick
06-21-2010 08:20 AM
Thanks Rick!
Charlie
06-21-2010 08:39 AM
Charlie
I am glad that my suggestions were helpful. Thank you for marking the question as resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will also see suggestions which did resolve the question.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: