07-24-2006 02:01 AM - edited 03-03-2019 04:11 AM
can anyone tell me the benifits of using this in my switches and routers, rather than using normal vty and enable logins etc ?
cheers
07-24-2006 02:19 AM
imagine u have 20 devices and u use the same passord for all devices. one day u need to change the password for all devices, if u don t use aaa u will make it manually 20 times :-(
if u use aaa u just change it one time in aaa server :-)
07-24-2006 02:27 AM
Hi,
To quote from the AAA overview at:
AAA provides the following benefits:
-Increased flexibility and control of access configuration
-Scalability
-Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
-Multiple backup systems
If you only have a couple of switches and routers and you are the only admin then there probably isn't much point - but if you have a lot of devices, a lot of users and whole bunch of different access requirements then being able to control all access from one single point is a huge time-saver.
HTH
Andrew.
07-24-2006 02:31 AM
Hi carl!
You have lots of reasons to use it!
the most important one is that AAA supports TACACS+, RADIUS, and Kerberos.
Also AAA provides scalability. AAA configurations rely on a server to store usernames and passwords. So you dont have to create local databases and update on every router. one point of administration.By centralizing the username/password database, AAA makes it possible to enter, update, and store information in one place.
You can find more information about AAA by hitting following link...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm
Regards..
07-24-2006 03:11 AM
Hi
U have a large setup.There are different level of engineers who should have different level of access to the router.Even they should have different user-name and password. Here AAA comes to picture.
There is no downside of AAA.
Pls rate helpful posts.
Regards
JD
07-24-2006 04:06 AM
thanks all for your replys, how would I create a server, and would I have to point to this server on each device ?
cheers
07-24-2006 04:44 AM
Hi
could u PS Provide us a link that contain Scenario about the ACS Administration & Configuration.
i have this version Cisco.Secure.ACS.v3.2.
10xs
07-24-2006 06:46 PM
Hi Carl,
You can use any Unix machine and configure it as a Tacacs+ server. This method needs you to configure th strings required.
Another easy solution is the Cisco ACS server.
THis server comes with a preloaded ACS application which is capable of running both Tacacs+ & Radius. Its GUI based and very easy to use.
For the answer to your second question...yes you have configure the following commands on every device u want to authenticate using tacacs+.
aaa new-model
tacacs-server host x.x.x.x key xxxx
aaa authentication login default tacacs+ local
username adminXX privilege 15 password xxxxx (Local credentials, if the device cannot connect to the TACACs Server)
line con 0
login authentication default
line vty 0 4
login authentication default
HTH
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide