Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9125
Views
0
Helpful
5
Replies

TACACS for VTY & Console

Go to solution
raza555
Level 3
Level 3

‎11-06-2013 05:11 AM - edited ‎03-10-2019 09:04 PM

Hi,

I am trying to create a TACACS config that will make sure that when you log onto the CONSOLE or VTY you get TACACS challenge and if TACACS server is down then fall back to local user/password and local enable password.

Please advise that I have followed the Cisco best practices, that will help many others to follow;

Thanks and kind Regards,

Username cisco secret cisco123

Enable secret cisco456

aaa authentication login network-access group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local if-authenticated none

aaa authorization commands 1 default group tacacs+ if-authenticated none

aaa authorization commands 15 default group tacacs+ local if-authenticated ( whats the difference between this and just below command & which command to use)

or

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

line vty 0 15

login authentication network-access

line console 0

login authentication network-access

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to raza555

‎11-11-2013 07:27 AM

Q1) Your configuration should work for both types of users.

Q2) authorization and accounting at all levels will increase the amount of network traffic and increase the storage requirements on the server. You need to decide on the basis of your organization and your requirements whether the extra traffic and increased storage is justifiable.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
raza555
Level 3
Level 3

‎11-10-2013 04:34 AM

Any help will be very much appreciated

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to raza555

‎11-10-2013 05:39 AM

The syntax of what you have posted looks ok. There is not any configuration for a TACACS server and without that the config will not work.

I wonder about the choice to create a named method for user authentication rather than just using the default. (I am usually of the opinion that simpler is better but what you have configured should work)

The difference in the commands for authorization of level 15 is that your first option (which I believe is the preferred approach) offers a backup option if the TACACS server is not available and continues to offer some level of protection. Your second alternative says that if TACACS is not available then do not be concerned about authorization at all.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
raza555
Level 3
Level 3
In response to Richard Burts

‎11-11-2013 02:09 AM

Hi,

As per your suggestion, I have tried to make it simple as below; please advice that is it better than above.

Q1: Also If in Cisco ACS, I have configured that user-1, have read-only access,  and user-2 has full level 15 access, do this ACS  configuration will work for both type of users with my below IOS configurations;

Q2: Do you prefer to user authorization and accounting commands at all levels or just command 15 is ok/works.

aaa authorization commands 0

aaa authorization commands 1

aaa authorization commands 15

aaa accounting commands 0

aaa accounting commands 1

aaa accounting commands 15

New Configurations as per suggestions:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Username cisco secret cisco123

Enable secret cisco456

aaa new-model

aaa authentication login network-access group tacacs+ local enable

aaa authentication enable default group tacacs+ enable       Comment (Do you prefer network-access, instead of default)

aaa authorization exec default group tacacs+ if-authenticated none

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

line con 0

login authentication network-access

exit

line vty 0 15

login authentication network-access

exit

tacacs-server host IP_Address key SNMP_String

Thanks for advice, its very much appreciated.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to raza555

‎11-11-2013 07:27 AM

Q1) Your configuration should work for both types of users.

Q2) authorization and accounting at all levels will increase the amount of network traffic and increase the storage requirements on the server. You need to decide on the basis of your organization and your requirements whether the extra traffic and increased storage is justifiable.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
kaaftab
Level 4
Level 4

‎11-11-2013 03:32 PM

you configuration looks ok but for reference kindly check the following link

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html

0 Helpful
Customers Also Viewed These Support Documents