1) In some documentation/blogs it mentions the use of the "login authentication default" under line con 0 and line vty 0 15. My config is working when I ssh or console to the box but I don't have these commands under the mentioned interfaces. What is the deal with this? Is this normal?
From another blog: "These commands will not appear in the running configuration if the default method list is specified."
2) How do the two groups mentioned below work? How do they relate to the ACS configuration. This is an inherited config and I don't understand the correlation/dynamics.
aaa group server tacacs+ ACS1 server 172.16.30.41 server 172.16.30.42 ! aaa group server tacacs+ ACS2 server 172.16.30.41 server 172.16.30.42 ! aaa authentication login default group tacacs+ enable aaa authorization exec default group tacacs+ local none aaa authorization commands 0 default group tacacs+ local none aaa authorization commands 1 default group tacacs+ local none aaa authorization commands 15 default group tacacs+ local none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+
For #1 - Some commands are hidden if they are the default commands. You can view those by issuing "show run all"
For #2 - The server groups define your TACACS+/ACS servers. Then the "AAA" commands define how users would be authenticated and authorized when access the device. In your configuration the default authentication method will use your ACS servers, if the servers are for some reason unavailable then the local "enable" secret will be used. For authorization, the device will first use your TACACS+ servers, if for some reason the TACACS+ servers are not available then the local database will be used and if for some reason the local database is not available then no other methods will be tried and the user will be automatically authorized on the device.
The syntax though is a bit messy and confusing. For instance, you have two different TACACS groups but they are both calling the same IPs. Perhaps a this could be a cleaned up a bit. For instance,
tacacs server ACS1 address ipv4 172.16.30.41 key your_secret_key ! tacacs server ACS2 address ipv4 172.16.30.42 key your_secret_key ! aaa group server tacacs+ ACS server name ACS1 server name ACS2 ! aaa authentication login default group ACS enable aaa authorization exec default group ACS local none aaa authorization commands 14 default group ACS local none aaa authorization commands 15 default group ACS local none etc.... aaa accounting commands 14 default start-stop group ACS aaa accounting commands 15 default start-stop group ACS etc...
I highly recommend that you do this on a test switch and not on your production environment.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...