cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8309
Views
50
Helpful
7
Replies

AAA Configuration!!

rajeev.payal
Level 1
Level 1

hi,

I am new to Cisco ACS server for windows.I am testing it on Cisco 1700 series router.

I have created two users in ACS having different shell command authorization sets. And i have created one local user in Router.I am successfully able to login on router with both ACS users through telnet & Console.

But i am stucking with some requirements which i need to test.

requirements:

1). When my ACS is running,I should use only my ACS users for logging in the device,whether throgh telnet or console.

2). If my ACS is down, then I should be able to logged in the device through the local user created in it.This way device will not locked down due to the absense of AAA.

I have almost achieved my first requirement.But I am stucking in my II requirement. Require your help please.

Router configuration enclosed!!

2 Accepted Solutions

Accepted Solutions

Hi Raj,

Here you go,

aaa authentication login default group tacacs local

It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.

aaa authentication enable default group tacacs enable

Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router

aaa authorization console

This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.

aaa authorization config-commands

Enabled command authoriztion for global config mode

aaa authorization exec default group tacacs if-authenticated

This enabled authorization for telnet (exec) sessions

aaa authorization commands 1 default group tacacs+ if-authenticated

Enabled command authorization for level 1 command

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Accounting commands are self explanatory.

=======================

Using 'none' versus 'if-authenticated' as backup method for authorization-

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.

Regards,

~JG

Do rate helpful posts

View solution in original post

Hi Raj,

Command accounting is listed under tacacs administration report and not in tac accounting.

If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.

Regards,

~JG

Do rate helpful posts

View solution in original post

7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

Raj,

Here are the commands that you need,

aaa authentication login default group tacacs local

aaa authentication enable default group tacacs enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Regards,

~JG

Do rate helpful posts

Dear JG,

Thanks for your help!!

1 more favor.. Can u describe the meaning of the commands you have given above. (Only brief description..).I will be thankful to you!!

Hi Raj,

Here you go,

aaa authentication login default group tacacs local

It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.

aaa authentication enable default group tacacs enable

Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router

aaa authorization console

This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.

aaa authorization config-commands

Enabled command authoriztion for global config mode

aaa authorization exec default group tacacs if-authenticated

This enabled authorization for telnet (exec) sessions

aaa authorization commands 1 default group tacacs+ if-authenticated

Enabled command authorization for level 1 command

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Accounting commands are self explanatory.

=======================

Using 'none' versus 'if-authenticated' as backup method for authorization-

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.

Regards,

~JG

Do rate helpful posts

bingo JG...thanks for ur help!!!

Will seek ur help in the future probs!!

I have configured accountng commands but the Cisco ACS doesn't show any reports on Command accounting.It is authorizing it very well but the command accounting reports are not coming.Can any one help?

Hi Raj,

Command accounting is listed under tacacs administration report and not in tac accounting.

If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.

Regards,

~JG

Do rate helpful posts

Yes..I have upgraded it with patch & its working now...

Thanks JG!!! :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: