11-07-2006 03:31 PM
Hi,
could you post some example of how to configure a switch to have the logins authenticated by an ACS or in case of problems, local user?
Jorge
11-07-2006 04:24 PM
11-08-2006 04:27 PM
I've been using this:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 192.168.12.200 key ********
Works fine for me and it gives you the accounting which logs all your device config changes. I'm running ACS v4.0
11-20-2006 02:41 AM
But is there a way to configure the level of access, on the CiscoACS Server? how is it then passed to the Switch? for example a user with access level 15 and another one with 10 and another one with just 5?
Second question, here you are mentioning that all commands 15 will be sent to the ACS Server, can we send it from all the levels? or we need to mention one by one?
Thanks a lot,
Jorge
11-13-2006 09:01 AM
Here's what AAA/ACS config looks like:
aaa new-model
aaa authentication login default group tacacs+ enable none
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host x.x.x.x key mykey
tacacs-server host x.x.x.x key mykey
This one requires you to enter an enable password to reach level 15 and doesn't use any local accounts as a backup since I don't have any.
11-20-2006 02:42 AM
But is there a way to configure the level of access, on the CiscoACS Server? how is it then passed to the Switch? for example a user with access level 15 and another one with 10 and another one with just 5?
Second question, here you are mentioning that all commands 15 will be sent to the ACS Server, can we send it from all the levels? or we need to mention one by one?
Thanks a lot,
Jorge
11-21-2006 04:01 PM
I'm trying the same thing. Getting a lot of help from the Security/AAA forum.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: