Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Authentication on Router

We have a Cisoc 2901 ISR G2 router and I used Cisco Config Professional for security audit and enabled all the default security features. After this when I telnet into the router, it accepts only the local usernames and not from AAA server. In order to enable the AAA authentication on VTY interfaces do I need to enable any specific AAA commands or just remove the commands "authorization exec local_author and  login authentication local_authen"?

aa authentication login default group tacacs+ local
aaa authentication login fallback group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

tacacs-server host X.X.80.55

------------------------------------------------------------------------------

line vty 0 4
access-class 11 in
password 7 XXXXXXXXXXXXXXXXXX
authorization exec local_author
login authentication local_authen
transport input ssh
transport output ssh

1 REPLY
Bronze

Re: AAA Authentication on Router

Hello,

yes, I think you can remove the "login authentication local_authen" and then it should go over TACACS+.

If TACACS+ is not available the fallback is local user.

     aaa authentication login default group tacacs+ local

What the command "aaa authentication login fallback group tacacs+ enable" should do, I don't know.

But maybe you need some commands in the AAA part for the authorization.

At the moment you have only a way for authentication.

I think something like

     aaa authentication enable default group tacacs+ enable     -> for moving to enable mode

     aaa authorization exec default group tacacs+ local     -> for starting an exec shell

is needed for authorization.

And then you can remove the command "authorization exec local_author".

Sven

401
Views
0
Helpful
1
Replies