Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Getting starting with AAA

Hi, I justed installed ACS 4.1 for Windows, I've added a user account and a router, my router can communicate with the ACS server, I can authenticate to the router, but my authentication will not take me into enable (or priviledge) mode. It takes me right to the user mode. From the server I tried granting priv 15 to my user group and also to me as a user still doesn't work. I have the basic configuration on the router

aaa new-model

aaa authentication login susd group tacacs+ local

tacacs-server host 10.x.x.x

tacacs-server directed-request

tacacs-server key xxxx

Can someone help a rookie out.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Getting starting with AAA

Try this:

ROUTER#config t

Enter configuration commands, one per line. End with CNTL/Z.

ROUTER(config)#line vty 0 4

ROUTER(config-line)#privilege level 15

ROUTER(config-line)#end

ROUTER#

HTH

Community Member

Re: Getting starting with AAA

Ah I guess you're using a named authorization method rather than the default one which is why it need applying to the VTY lines. The default method would apply to all lines where not already configured.

10 REPLIES

Re: Getting starting with AAA

Try this:

ROUTER#config t

Enter configuration commands, one per line. End with CNTL/Z.

ROUTER(config)#line vty 0 4

ROUTER(config-line)#privilege level 15

ROUTER(config-line)#end

ROUTER#

HTH

Community Member

Re: Getting starting with AAA

Hi HTH,

Thanks that worked!

Community Member

Re: Getting starting with AAA

You can also achieve this using TACACS authorization. Enter the following command in global configuration mode:

aaa authorization exec default group tacacs+ local

This will enable the router to put you into your assigned privileged mode as configured on the ACS.

Community Member

Re: Getting starting with AAA

I think this is actually the way I wanna go, so I can take advantage of aaa logging.

If I use this authorization command should I remove the privilege login from my VTY lines?

Community Member

Re: Getting starting with AAA

Yes, you don't need the privilege level set on the VTY lines when using the authorization method.

John

Community Member

Re: Getting starting with AAA

Thanks John,

That gave me exactly what i was looking for. I also had to place the authorization command on the line.

Community Member

Re: Getting starting with AAA

Ah I guess you're using a named authorization method rather than the default one which is why it need applying to the VTY lines. The default method would apply to all lines where not already configured.

Community Member

Re: Getting starting with AAA

John,

Do you think that the default method is the better way to go? I guess it would since I don't have to configure the lines.

Re: Getting starting with AAA

Default is a good option to use if you are not using any method-list.

Default key word cover all interfaces accept serial.

Regards,

~JG

Community Member

Re: Getting starting with AAA

Thanks John, You've been a big help.

160
Views
10
Helpful
10
Replies
CreatePlease to create content