Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Which AAA config is better ?

I have two configs,

which config from a flexibility and security stand point would be better?

Authethenticating with ACS to AD

aaa authentication attempts login 2
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none
aaa accounting system default start-stop group tacacs+
!

or

aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Which AAA config is better ?

The first configis without doubt the most secure as it includes authorization.

With authorization you can configure the ACS to send privilege levels for example, or to perform command authorization, and the user can have different set of commands allowed depending o nthe group it belongs on the AD for example.

HTH,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

3 REPLIES
Cisco Employee

Re: Which AAA config is better ?

You can say that aaa authorization (1st config snippet) is more "secure" because commands will be authorized depending on the user that is executing them.

As for flexibility, as long as authorization is configured properly I think there is no difference. There might be more intervention when you are adding a new user in ACS, but even that can be avoided if you use user groups.

I hope it helps a little.

PK

Cisco Employee

Re: Which AAA config is better ?

The first configis without doubt the most secure as it includes authorization.

With authorization you can configure the ACS to send privilege levels for example, or to perform command authorization, and the user can have different set of commands allowed depending o nthe group it belongs on the AD for example.

HTH,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

New Member

Re: Which AAA config is better ?

thanks

230
Views
5
Helpful
3
Replies
CreatePlease login to create content