AAA Authentication on Router

Unanswered Question
Aug 26th, 2010
User Badges:

We have a Cisoc 2901 ISR G2 router and I used Cisco Config Professional for security audit and enabled all the default security features. After this when I telnet into the router, it accepts only the local usernames and not from AAA server. In order to enable the AAA authentication on VTY interfaces do I need to enable any specific AAA commands or just remove the commands "authorization exec local_author and  login authentication local_authen"?



aa authentication login default group tacacs+ local
aaa authentication login fallback group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common


tacacs-server host X.X.80.55

------------------------------------------------------------------------------

line vty 0 4
access-class 11 in
password 7 XXXXXXXXXXXXXXXXXX
authorization exec local_author
login authentication local_authen
transport input ssh
transport output ssh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sven Hruza Thu, 08/26/2010 - 23:45
User Badges:
  • Bronze, 100 points or more

Hello,


yes, I think you can remove the "login authentication local_authen" and then it should go over TACACS+.

If TACACS+ is not available the fallback is local user.


     aaa authentication login default group tacacs+ local


What the command "aaa authentication login fallback group tacacs+ enable" should do, I don't know.


But maybe you need some commands in the AAA part for the authorization.

At the moment you have only a way for authentication.


I think something like


     aaa authentication enable default group tacacs+ enable     -> for moving to enable mode


     aaa authorization exec default group tacacs+ local     -> for starting an exec shell


is needed for authorization.

And then you can remove the command "authorization exec local_author".



Sven

Actions

This Discussion