AAA Authentication on Router

Unanswered Question
Aug 26th, 2010

We have a Cisoc 2901 ISR G2 router and I used Cisco Config Professional for security audit and enabled all the default security features. After this when I telnet into the router, it accepts only the local usernames and not from AAA server. In order to enable the AAA authentication on VTY interfaces do I need to enable any specific AAA commands or just remove the commands "authorization exec local_author and  login authentication local_authen"?

aa authentication login default group tacacs+ local
aaa authentication login fallback group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

tacacs-server host X.X.80.55

------------------------------------------------------------------------------

line vty 0 4
access-class 11 in
password 7 XXXXXXXXXXXXXXXXXX
authorization exec local_author
login authentication local_authen
transport input ssh
transport output ssh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sven Hruza Thu, 08/26/2010 - 23:45

Hello,

yes, I think you can remove the "login authentication local_authen" and then it should go over TACACS+.

If TACACS+ is not available the fallback is local user.

     aaa authentication login default group tacacs+ local

What the command "aaa authentication login fallback group tacacs+ enable" should do, I don't know.

But maybe you need some commands in the AAA part for the authorization.

At the moment you have only a way for authentication.

I think something like

     aaa authentication enable default group tacacs+ enable     -> for moving to enable mode

     aaa authorization exec default group tacacs+ local     -> for starting an exec shell

is needed for authorization.

And then you can remove the command "authorization exec local_author".

Sven

Actions

This Discussion