Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
1
Replies

Getting around limitation in AAA AUTHENTICATION ENABLE DEFAULT

djmwalker
Level 1
Level 1

‎05-14-2008 07:49 AM - edited ‎03-10-2019 03:50 PM

I'm having a little trouble configuring AAA to allow the two levels of authentication (User and Privilege) between two seperate groups (default and XAUTH). What I'd like to accomplish is this:

default (or defined group, doesn't matter):

- use line password for authentication to User level

- use enable secret for authentication to Privilege level

- password set @ console (line con 0)

XAUTH:

- use TACACS + then LOCAL user for authentication to User level

- user TACACS + then LOCAL user for authentication to Privilege level

- XAUTH authentication set to lines vty 0 15

Here's where I'm starting:

----------

aaa new-model

aaa authentication login default line

aaa authentication login XAUTH group tacacs+ local

line con 0

password 7 [hashed_psswd]

line vty 0 4

login authentication XAUTH

line vty 5 15

login authentication XAUTH

----------

The simplest approach would be if AAA allowed for different policies toward ENABLE during authentication, but it doesn't. I've considered using AUTHORIZATION to permit the XAUTH users to pass directly in Privilege level, but as it's TACACS it's looking to the ACS server, which I do not have administrative rights to. Tried this, but failed to bring the user in Privilege mode and required the ENABLE SECRET when using TACACS, although it did work when XAUTH was set to use LOCAL-CASE for authentication:

----------

aaa new-model

aaa authentication login default line

aaa authentication login XAUTH group tacacs+ local-case

aaa authorization exec XAUTH group tacacs+ local

aaa authorization commands 0 XAUTH group tacacs+ local

aaa authorization commands 1 XAUTH group tacacs+ local

aaa authorization commands 15 XAUTH group tacacs+ local

line con 0

password 7 [hashed_psswd]

line vty 0 4

authorization commands 0 XAUTH

authorization commands 1 XAUTH

authorization commands 15 XAUTH

authorization exec XAUTH

login authentication XAUTH

line vty 5 15

authorization commands 0 XAUTH

authorization commands 1 XAUTH

authorization commands 15 XAUTH

authorization exec XAUTH

login authentication XAUTH

----------

The end goal is to allow the console port to be free of the TACACS server for authentication all the way to Privilege mode without pushing the user access @ console mode directly into it (hence, why I'm not going with the AAA AUTHORIZATION CONSOLE & AUTHORIZATION EXEC solution).

Anyone come up with a clever way around this? Appreciate the input.

Dan

Labels:
0 Helpful
1 Reply 1

smahbub
Level 6
Level 6

‎05-20-2008 05:52 AM

Authentication verifies users before they are allowed access to the network and network services. Authentication, for the most part, is implemented through the AAA security services.Whenever possible, its good to have AAA be used to implement authentication.

Refer the following url for moe info about Configuring Login Authentication Using AAA:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schathen.html#wp1001032

0 Helpful
Customers Also Viewed These Support Documents