Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tacacs config in AAA

                   Hi Everyone,

Need to know which Line in aaa config is using Tacacs  to login to the router.

here is aaa config

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group tacacs+ none

aaa accounting exec default

action-type start-stop

group tacacs+

!

aaa accounting commands 15 default

action-type start-stop

group tacacs+

!

aaa accounting network default

action-type start-stop

  group tacacs+

!

aaa accounting connection default

action-type start-stop

group tacacs+

!

aaa accounting system default

action-type start-stop

group tacacs+

!

!

!

aaa session-id common

clock timezone MNT -7

line vty 0 4

exec-timeout 15 0

transport input telnet ssh

Currently when i telnet to router it uses  tacacs  need to know which line in aaa config uses tacacs config?

Thanks

Mahesh

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: Tacacs config in AAA

you have several aaa-commands that change the default-behaviour of the router:

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group tacacs+ none

With these commands, your lines use this new aaa-config without an explicit reconfig of the line.

If you want to change to local authentication, then you can change it by using the same commands without the "group tacacs" or even better, start by removing all aaa-commands and only configure what you really need.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Tacacs config in AAA

hi mahesh,

this line tells you how to login to your device:

aaa authentication login default group tacacs+ enable

the 'default' keyword applies to all lines, i.e. console, VTY, aux and with the 'enable' keyword specifies to use the enable password as a fallback method.

4 REPLIES
VIP Purple

Re: Tacacs config in AAA

you have several aaa-commands that change the default-behaviour of the router:

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa authorization network default group tacacs+ none

With these commands, your lines use this new aaa-config without an explicit reconfig of the line.

If you want to change to local authentication, then you can change it by using the same commands without the "group tacacs" or even better, start by removing all aaa-commands and only configure what you really need.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Tacacs config in AAA

Hi,

Please explain me how I can grant only several command into configuration mode with TACACS+?

I found example of tac_plus.conf file where I can grant "configuration terminal", but it is hard to find how to grant only "access-list" command but no "ip route".

Re: Tacacs config in AAA

hi mahesh,

this line tells you how to login to your device:

aaa authentication login default group tacacs+ enable

the 'default' keyword applies to all lines, i.e. console, VTY, aux and with the 'enable' keyword specifies to use the enable password as a fallback method.

New Member

Tacacs config in AAA

Hi,

Many thanks for reply.

MAhesh

944
Views
0
Helpful
4
Replies