05-14-2008 07:49 AM - edited 03-10-2019 03:50 PM
I'm having a little trouble configuring AAA to allow the two levels of authentication (User and Privilege) between two seperate groups (default and XAUTH). What I'd like to accomplish is this:
default (or defined group, doesn't matter):
- use line password for authentication to User level
- use enable secret for authentication to Privilege level
- password set @ console (line con 0)
XAUTH:
- use TACACS + then LOCAL user for authentication to User level
- user TACACS + then LOCAL user for authentication to Privilege level
- XAUTH authentication set to lines vty 0 15
Here's where I'm starting:
----------
aaa new-model
aaa authentication login default line
aaa authentication login XAUTH group tacacs+ local
line con 0
password 7 [hashed_psswd]
line vty 0 4
login authentication XAUTH
line vty 5 15
login authentication XAUTH
----------
The simplest approach would be if AAA allowed for different policies toward ENABLE during authentication, but it doesn't. I've considered using AUTHORIZATION to permit the XAUTH users to pass directly in Privilege level, but as it's TACACS it's looking to the ACS server, which I do not have administrative rights to. Tried this, but failed to bring the user in Privilege mode and required the ENABLE SECRET when using TACACS, although it did work when XAUTH was set to use LOCAL-CASE for authentication:
----------
aaa new-model
aaa authentication login default line
aaa authentication login XAUTH group tacacs+ local-case
aaa authorization exec XAUTH group tacacs+ local
aaa authorization commands 0 XAUTH group tacacs+ local
aaa authorization commands 1 XAUTH group tacacs+ local
aaa authorization commands 15 XAUTH group tacacs+ local
line con 0
password 7 [hashed_psswd]
line vty 0 4
authorization commands 0 XAUTH
authorization commands 1 XAUTH
authorization commands 15 XAUTH
authorization exec XAUTH
login authentication XAUTH
line vty 5 15
authorization commands 0 XAUTH
authorization commands 1 XAUTH
authorization commands 15 XAUTH
authorization exec XAUTH
login authentication XAUTH
----------
The end goal is to allow the console port to be free of the TACACS server for authentication all the way to Privilege mode without pushing the user access @ console mode directly into it (hence, why I'm not going with the AAA AUTHORIZATION CONSOLE & AUTHORIZATION EXEC solution).
Anyone come up with a clever way around this? Appreciate the input.
Dan
05-20-2008 05:52 AM
Authentication verifies users before they are allowed access to the network and network services. Authentication, for the most part, is implemented through the AAA security services.Whenever possible, its good to have AAA be used to implement authentication.
Refer the following url for moe info about Configuring Login Authentication Using AAA:
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schathen.html#wp1001032
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide