Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Configuration!!

hi,

I am new to Cisco ACS server for windows.I am testing it on Cisco 1700 series router.

I have created two users in ACS having different shell command authorization sets. And i have created one local user in Router.I am successfully able to login on router with both ACS users through telnet & Console.

But i am stucking with some requirements which i need to test.

requirements:

1). When my ACS is running,I should use only my ACS users for logging in the device,whether throgh telnet or console.

2). If my ACS is down, then I should be able to logged in the device through the local user created in it.This way device will not locked down due to the absense of AAA.

I have almost achieved my first requirement.But I am stucking in my II requirement. Require your help please.

Router configuration enclosed!!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: AAA Configuration!!

Hi Raj,

Here you go,

aaa authentication login default group tacacs local

It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.

aaa authentication enable default group tacacs enable

Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router

aaa authorization console

This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.

aaa authorization config-commands

Enabled command authoriztion for global config mode

aaa authorization exec default group tacacs if-authenticated

This enabled authorization for telnet (exec) sessions

aaa authorization commands 1 default group tacacs+ if-authenticated

Enabled command authorization for level 1 command

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Accounting commands are self explanatory.

=======================

Using 'none' versus 'if-authenticated' as backup method for authorization-

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.

Regards,

~JG

Do rate helpful posts

Re: AAA Configuration!!

Hi Raj,

Command accounting is listed under tacacs administration report and not in tac accounting.

If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.

Regards,

~JG

Do rate helpful posts

7 REPLIES

Re: AAA Configuration!!

Raj,

Here are the commands that you need,

aaa authentication login default group tacacs local

aaa authentication enable default group tacacs enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA Configuration!!

Dear JG,

Thanks for your help!!

1 more favor.. Can u describe the meaning of the commands you have given above. (Only brief description..).I will be thankful to you!!

Re: AAA Configuration!!

Hi Raj,

Here you go,

aaa authentication login default group tacacs local

It will let you in using password configured in acs and if acs is down, it will let you in using local user/pwd configured in router.

aaa authentication enable default group tacacs enable

Once you are in user mode and try to login to enable mode--> It will let you in using enable password configured in acs and if acs is down it will let you in using enable pass set up on router

aaa authorization console

This command enables authorization on console port. By default that is disabled and it is recommended to use once you are sure about the commands. Else you will be locked out.

aaa authorization config-commands

Enabled command authoriztion for global config mode

aaa authorization exec default group tacacs if-authenticated

This enabled authorization for telnet (exec) sessions

aaa authorization commands 1 default group tacacs+ if-authenticated

Enabled command authorization for level 1 command

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Accounting commands are self explanatory.

=======================

Using 'none' versus 'if-authenticated' as backup method for authorization-

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes down in the middle of the session. Adds convenience at the expense of security.

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA Configuration!!

bingo JG...thanks for ur help!!!

Will seek ur help in the future probs!!

New Member

Re: AAA Configuration!!

I have configured accountng commands but the Cisco ACS doesn't show any reports on Command accounting.It is authorizing it very well but the command accounting reports are not coming.Can any one help?

Re: AAA Configuration!!

Hi Raj,

Command accounting is listed under tacacs administration report and not in tac accounting.

If still issue is there then check the acs software. ACS 4.1.1 have issues with command accounting, you need to upgrade it to patch5.

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA Configuration!!

Yes..I have upgraded it with patch & its working now...

Thanks JG!!! :)

364
Views
40
Helpful
7
Replies
CreatePlease to create content