Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

AAA Configuration

Here I would like to share the AAA configuration that cover almost every thing .

i.e. -- TACACS+ Authentication , PPP Authentication , Console Authentication &

If TACACS+ Fail the you can use local authenticaiton to access the network devices.

For Below Create an Default Group associated with Radius server for radius authenticaiton .

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enabl
aaa authentication ppp default group default-group local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 6 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 9 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 11 default group tacacs+ local
aaa authorization commands 12 default group tacacs+ local
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default local group default
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 6 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 8 default start-stop group tacacs+
aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 11 default start-stop group tacacs+
aaa accounting commands 12 default start-stop group tacacs+
aaa accounting commands 13 default start-stop group tacacs+
aaa accounting commands 14 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Regards,

Chetan Kumar

Version history
Revision #:
1 of 1
Last update:
‎05-28-2010 07:20 AM
Updated by:
 
Labels (1)
Comments
New Member

I am new to this AAA thing , only used local auth before for stuff , If i put all of the commands in one box, what exactly i achieve ? i do have plans to use cisco windows based ACS 4.2 ?

Why shall i use so many commands ? what is this command authrization thing?

Is it important that if i use authentication option for ACS server i  should also use the authorization portion or it is not mandatory ?????

you no need to configure all those command , You can configure only authentication , authorization for pri 15 & accounting for priv 15 .

If you have to big organization & to many network enginner then you can have different priv level sing ACS & AAA.

The only thing that make a difference between RADIUS and TACACS+ is the separation of authetication and authorization. In RADIUS you need only to authenticate the user and zoooooom.

User is now into the network to access EVERYTHING or have the authority autometically to run ALL COMMANDS under the privellage level 15 but if you use TACACS+, this separates the authentication from authorization that provides the option to assign different levels of command execution or access the network resources instead accessing all.

That is why if using ACS that run only Cisco propritary TACACS+ protocol you must configure authorization part of AAA also to manage the different level of authority to the different group of users indulged in different kid of work.