AAA Authentication on Router

avilt · ‎08-26-2010

We have a Cisoc 2901 ISR G2 router and I used Cisco Config Professional for security audit and enabled all the default security features. After this when I telnet into the router, it accepts only the local usernames and not from AAA server. In order to enable the AAA authentication on VTY interfaces do I need to enable any specific AAA commands or just remove the commands "authorization exec local_author and login authentication local_authen"?

aa authentication login default group tacacs+ local
aaa authentication login fallback group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

tacacs-server host X.X.80.55

------------------------------------------------------------------------------

line vty 0 4
access-class 11 in
password 7 XXXXXXXXXXXXXXXXXX
authorization exec local_author
login authentication local_authen
transport input ssh
transport output ssh

Sven Hruza · ‎08-26-2010

Hello,

yes, I think you can remove the "login authentication local_authen" and then it should go over TACACS+.

If TACACS+ is not available the fallback is local user.

aaa authentication login default group tacacs+ local

What the command "aaa authentication login fallback group tacacs+ enable" should do, I don't know.

But maybe you need some commands in the AAA part for the authorization.

At the moment you have only a way for authentication.

I think something like

aaa authentication enable default group tacacs+ enable -> for moving to enable mode

aaa authorization exec default group tacacs+ local -> for starting an exec shell

is needed for authorization.

And then you can remove the command "authorization exec local_author".

Sven