Home > Articles > Cisco > CCIE

This chapter is from the book

Section 7.0: AAA

7.1: AAA on the Router

  1. Configure AAA on R4 to use the TACACS+ server.

  2. Configure authentication, EXEC authorization, and command-level 1/10/15 authorization.

  3. Move the show running-config command to level 10 for user1 to be able to invoke it.

  4. Configure fallback to local in the event the AAA server goes down.

  5. Make sure you use a named method list and apply it to vty lines. Do not configure any authentication or authorization for console or auxiliary ports, or you will lose all marks.

  6. Use the following example to configure all of the above.

  7. aaa new-model
    aaa authentication login vtyline group tacacs+ local
    aaa authentication login con-none none
    aaa authorization exec vtyexec group tacacs+ local 
    aaa authorization exec conexec none 
    aaa authorization commands 1 comm1 group tacacs+ local 
    aaa authorization commands 1 comm-con-none none 
    aaa authorization commands 10 comm10 group tacacs+ local 
    aaa authorization commands 10 comm-con-none none 
    aaa authorization commands 15 comm15 group tacacs+ local 
    aaa authorization commands 15 comm-con-none none 
    !
    username user1 privilege 10 password 7 044E18031D70
    username user2 privilege 15 password 7 13100417195E
    !
    privilege exec level 10 show run 
    privilege exec level 15 show!
    line con 0
     exec-timeout 0 0
     authorization commands 1 comm-con-none
     authorization commands 10 comm-con-none
     authorization commands 15 comm-con-none
     authorization exec conexec
     login authentication con-none
    line aux 0
     authorization commands 1 comm-con-none
     authorization commands 10 comm-con-none
     authorization commands 15 comm-con-none
     authorization exec conexec
     login authentication con-none
    line vty 0 4
     authorization commands 1 comm1
     authorization commands 10 comm10
     authorization commands 15 comm15
     authorization exec vtyexec
     login authentication vtyline
    !
    end
  8. Configure ACS with two users as follows.

  9. User1 with privilege level 10 and permit the show run command. See Figure 1-6 for user settings on CiscoSecure ACS.

    User2 with privilege level 15 with all commands permitted. See Figure 1-7 for user settings on CiscoSecure ACS.

  10. Configure CiscoSecure ACS users above with corresponding privilege levels, so when they log in, they land in enable mode and don't need to enter enable. You need to configure exec authorization to achieve this task. Refer to Figure 1-6 for user1 and Figure 1-7 for user2 profile settings on ACS.

  11. Figure 6Figure 1-61 User1 Settings on CiscoSecure ACS

    Figure 6

    Figure 6

    Figure 7Figure 1-7 User2 Settings on CiscoSecure ACS

    Figure 7

    Figure 7

7.2: AAA on PIX

  1. Configure TACACS+ authentication and authorization for Telnet service on PIX (refer to the example that follows item 3).

  2. Configure static translation for Loopback1 of R6. (Refer to the example that follows item 3 to configure the PIX.)

  3. Configure username r6telnet on ACS with Per User Command Authorization set to permit Telnet service for R6 Loopback1 only. Refer to Figure 1-8 for r6telnet profile settings on ACS.

  4. pix# show aaa
    aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ACS
    aaa authorization include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ACS
    pix#
    pix# show aaa-server 
    aaa-server ACS (inside) host 192.168.6.6 cisco timeout 10
    pix#
    pix(config)# show access-list outside
    access-list outside permit tcp any host 10.50.31.6 eq tacacs (hitcnt=103) 
    access-list outside permit tcp any host 16.16.16.16 eq telnet (hitcnt=7)
    pix(config)# show static
    static (inside,outside) 16.16.16.16 16.16.16.16 netmask 255.255.255.255 0 0 
    ! Login capture from R3 telnetting to R6 loopback1:
    r3#telnet 16.16.16.16
    Trying 16.16.16.16 ... Open
    
    Username: r6telnet
    Password: r6telnet
    
    User Access Verification
    Password: 
    r6>en
    Password: 
    r6#
    r6#
    ! After successfully logging on to R6, confirm that 
    ! authentication/authorization is working on pix;
    pix# show uauth
          Current Most Seen
    Authenticated Users  1   1
    Authen In Progress  0   1
    user 'r6telnet' at 10.50.31.2, authorized to:
     port 16.16.16.16/telnet
     absolute timeout: 0:05:00
     inactivity timeout: 0:00:00

    Figure 8Figure 1-8 r6telnet Settings on CiscoSecure ACS

    Figure 8

    Figure 8

     

    NOTE

    If Shell Command Authorization Set does not appear in User Setup in ACS, go to Interface Configuration and select TACACS+ and tick the User column for Shell (exec). See Figure 1-9.

    Figure 9Figure 1-9 Interface Configuration on ACS

    NOTE

    The Reports and Activity section in CiscoSecure ACS is very useful for troubleshooting. Verify FAILED/PASSED attempts in Reports, as shown in Figure 1-10.

    Figure 10Figure 1-10 Reports and Activity in ACS

  • + Share This
  • 🔖 Save To Your Account