Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Enabling Cisco Switches authentication against ACS

Hi,

could you post some example of how to configure a switch to have the logins authenticated by an ACS or in case of problems, local user?

Jorge

6 REPLIES
Blue

Re: Enabling Cisco Switches authentication against ACS

Community Member

Re: Enabling Cisco Switches authentication against ACS

I've been using this:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 192.168.12.200 key ********

Works fine for me and it gives you the accounting which logs all your device config changes. I'm running ACS v4.0

Community Member

Re: Enabling Cisco Switches authentication against ACS

But is there a way to configure the level of access, on the CiscoACS Server? how is it then passed to the Switch? for example a user with access level 15 and another one with 10 and another one with just 5?

Second question, here you are mentioning that all commands 15 will be sent to the ACS Server, can we send it from all the levels? or we need to mention one by one?

Thanks a lot,

Jorge

Community Member

Re: Enabling Cisco Switches authentication against ACS

Here's what AAA/ACS config looks like:

aaa new-model

aaa authentication login default group tacacs+ enable none

aaa authentication enable default group tacacs+ enable none

aaa authorization exec default if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host x.x.x.x key mykey

tacacs-server host x.x.x.x key mykey

This one requires you to enter an enable password to reach level 15 and doesn't use any local accounts as a backup since I don't have any.

Community Member

Re: Enabling Cisco Switches authentication against ACS

But is there a way to configure the level of access, on the CiscoACS Server? how is it then passed to the Switch? for example a user with access level 15 and another one with 10 and another one with just 5?

Second question, here you are mentioning that all commands 15 will be sent to the ACS Server, can we send it from all the levels? or we need to mention one by one?

Thanks a lot,

Jorge

Community Member

Re: Enabling Cisco Switches authentication against ACS

166
Views
10
Helpful
6
Replies
CreatePlease to create content