Solved: Re: Configuring AAA authentication

joytaylor · ‎05-12-2003

We have ACS 3.1 server to AAA authentication for all routers and switches. I want each person to log on the router using his own id, password and enable password. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What's the proper way to do this? I also want to track all commands entered on the router.

This is what I have:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs enable

aaa authentication enable default group tacacs+ line

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

username admin password 7 xxxxxxxxxxxxxxxx

!

line con 0

login authentication no_tacacs

line aux 0

line vty 0 4

password 7 xxxxxxxxxxxxxxxxxxxxxxxx

!

mhoda · ‎05-13-2003

Yes, thats right Joy. Thanks, Mynul

View solution in original post

sghosh · ‎05-12-2003

Hi,

Your config looks good for what you want to do, only issue you have is that you cannot have different enable password for different users when they are using local database. When you are using the local database you will use only one enable password.

Thanks

Sujit

mhoda · ‎05-12-2003

Hi,

This is how its working now as per the config:

-Your console port is authenticated using enable password

-For your telnet sessions:

You are getting authenticated via tacacs+ server, if its unvailable then it falls back to local database. But your enable authentication falls back to the line password.

Now if you want to authenticate/authorize and want to get accounting records using tacacs server and then if its unavailable fall back to local database for login and for enable authen, fall back to enable password, then this is what you might want to do:

aaa new-model

aaa authentication login default group tacacs+ local

no aaa authentication login no_tacacs enable <--Remove this

no aaa authentication enable default group tacacs+ line<--Remove this

aaa authentication enable default group tacacs+ enable <---Add this

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local <--Add this to cover level 0 commands

aaa authorization commands 1 default group tacacs+ local <--Add this to cover level 1 commands

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+ <-For level 0 accounting

aaa accounting commands 1 default start-stop group tacacs+ <--For level 1 acocunting

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization console --> This is required if you want to authorize console port.

also, please don't forget to remove the following line from console port:

line con 0

no login authentication no_tacacs

NOTE: Please don't forget to create atleast one admin account with priv level 15 before you apply the above commands:

username admin privilege 15 password cisco

I hope this help ! Thanks,

Mynul

joytaylor · ‎05-13-2003

Hi Mynul,

Thank you for the config. Now if I use this config, then for the console port I need to authenticate with Tacacs server, if the server fails am I using the admin account that I create with priv level 15?

This also holds true for telnet access also?

Thanks..Joy

mhoda · ‎05-13-2003

Yes, thats right Joy. Thanks, Mynul

joytaylor · ‎05-14-2003

Thank you for your help.

kirankumar · ‎08-01-2003

Hi,

I want to know one more thing,

can we give all writes equal to Administrator.

means all log details a copy to one more user.

Regards

Kiran Kumar