1 2 Previous Next 28 Replies Latest reply: Nov 16, 2011 12:49 AM by david.dawn RSS

    AAA Tacacs

    david.dawn

      Hello..

       

      Question : If you enable tacacs on a router/switch    that already had an  enable password configured on the device,  and you also create an new local account  with

      privilege level 15 & then in the tacacs config tell the device to use local accounts for console access will the device still prompt for the enable password even though the account have  level 15 access.

      The confing on the console is blank.

       

      My understanding is all local username and password are ignored when  AAA new-model is enabled. you then created methods you want your device to use weather that is named method or a default method which is all lines.  The Tacacs below states for console use Local accout which mentioned above we have a level 15 account  for, however the old enable secret was still on the device and not been removed... what are you thoughts on this please as we had a disagreement within work. and I would like to understand this for myself as I studying this area.

       

      The config below is the tacacs config.

       

      aaa authentication login default group ACS-TACACS local

      aaa authentication login CONSOLE local

       

      Thanks.

        • 1. Re: AAA Tacacs
          Olushile Akintade CCIE R&S

          My understanding is once you tie the CONSOLE group to the line cons 0, you can access via console using the username with privilege 15 and it will not ask you for the enable password. Since this dispute was at work, my advise is to use gns3 so that you can fully grasp how this works.

           

          Hope this helps!

          • 2. Re: AAA Tacacs
            david.dawn

            Hi

             

            Good advice Olushile.

             

            I would like to do that, not sure how I would set up a tacacs server etc within gns3.

             

            That is my understanding also

             

            Thanks for respone mate.

             

            Dave

            • 3. Re: AAA Tacacs
              Brian McGahan - 4 x CCIE, CCDE

              You'll still need to use the enable password, even if the user is assigned to privilege level 15.  The reason why is that there is a difference in AAA between authentication and authorization.  Authentication is the username and password, while authorization is the privilege level.

               

              Take the following example.  R1 is configured for local authentication and authorization on the console, without AAA configured.  The result is that when the user logs in, not only are they authenticated, but they are authorized to privilege level 15.

               

               

              R1 con0 is now available
              
              Press RETURN to get started.
              
              
              
              User Access Verification
              
              Username: brian
              Password: 
              R1#show privilege
              Current privilege level is 15
              R1#show run | section user|line
              username brian privilege 15 password 0 cisco
              line con 0
               login local
              

               

              Now the configuration is changed to enable AAA, with AAA checking the local database for authentication.

               

               

              R1#config t
              Enter configuration commands, one per line.  End with CNTL/Z.
              R1(config)#aaa new-model
              R1(config)#aaa authentication login default local
              R1(config)#end
              R1#exit
              
              
              R1 con0 is now available
              
              Press RETURN to get started.
              
              %SYS-5-CONFIG_I: Configured from console by brian on console
              
              User Access Verification
              
              Username: brian
              Password: 
              
              R1>show privilege
              Current privilege level is 1
              R1>

               

              Even though the username entry still has the privilege level associated with it, the AAA process is not checking this.  To tell AAA to check this you need to enable exec authorization and console authorization, as follows:

               

               

              R1>enable
              R1#config t
              Enter configuration commands, one per line.  End with CNTL/Z.
              R1(config)#aaa authorization exec default local
              R1(config)#aaa authorization console      
              R1(config)#end
              R1#
              %SYS-5-CONFIG_I: Configured from console by brian on console
              R1#exit
              
              R1 con0 is now available
              
              Press RETURN to get started.
              
              User Access Verification
              
              Username: brian
              Password: 
              
              R1#show privilege
              Current privilege level is 15
              

               

              Now the user is authorized the privilege level 15, and doesn't have to issue the enable password or secret.

              • 4. Re: AAA Tacacs
                cadetalain

                Hi,

                 

                there is a free tacacs server available or the demo version of ACS for windows.

                here is the server for linux: http://www.shrubbery.net/tac_plus/

                 

                Regards.

                 

                Alain

                • 5. Re: AAA Tacacs
                  Olushile Akintade CCIE R&S

                  Thanks for clearing that up Brian.

                  • 6. Re: AAA Tacacs
                    Conwyn

                    Hi Olushile

                     

                    Free for windows see https://learningnetwork.cisco.com/message/114586#114586

                     

                    Regards Conwyn

                    • 7. Re: AAA Tacacs
                      Olushile Akintade CCIE R&S

                      Great, thanks!

                      • 8. Re: AAA Tacacs
                        david.dawn

                        Thanks very much mate, nice  understandble explanation.. it makes sense I completely overlooked this. we do have some authorisation commands in the device which are 

                        aaa authorization configuration default group ACS-TACACS

                        aaa authorization exec default group ACS-TACACS local

                         

                        which won't work in our set up because we want the console to use the local account and allow the priv level to be 15

                         

                        thanks again Brian.

                        • 9. Re: AAA Tacacs
                          david.dawn

                          Thanks Conwyn you seem to know your Stuff !

                          I noticed you running tacacs through GNS3 I would a simple lab  querying tacacs is it easy to set up using gns3.

                          I have heard people saying to get ACS running on  a vm  and have gns3 talking to it I may have to spare some time into looking on youtube and getting a eval copy of ACS.

                          • 10. Re: AAA Tacacs
                            Brian McGahan - 4 x CCIE, CCDE

                            david.dawn wrote:

                             

                            Thanks very much mate, nice  understandble explanation.. it makes sense I completely overlooked this. we do have some authorisation commands in the device which are 

                            aaa authorization configuration default group ACS-TACACS

                            aaa authorization exec default group ACS-TACACS local

                             

                            which won't work in our set up because we want the console to use the local account and allow the priv level to be 15

                             

                            thanks again Brian.

                             

                            You can still do it, you just need to set the console to look for named lists for authentication and exec authorization.  Something like this will accomplish what you want:

                             

                            aaa authentication login CON_AUTHEN local
                            aaa authorization console
                            aaa authorization exec CON_AUTHOR local
                            !
                            !
                            line con 0
                             authorization exec CON_AUTHOR
                             login authentication CON_AUTHEN
                            
                            • 11. Re: AAA Tacacs
                              david.dawn

                              Awesome Brian I will be putting this recommendation in at work, thanks a lot really appreciate you taking time to give a clear reply.

                               

                              Dave.

                              • 12. Re: AAA Tacacs
                                david.dawn

                                Brian

                                 

                                I understand what you have said so far apart from ... how the aaa authorization exec CON_AUTHOR local works.

                                is the above command a method? the command confused me because of the syntax it  exec [method name] local.. why does that say use the local database, config t is privilege mode.. sorry if I'm not making myself clear I'm just trying to understand  how the 3 lines especially the 2 aaa authorization console and aaa authorization exec {name} local .. work.

                                • 13. Re: AAA Tacacs
                                  Brian McGahan - 4 x CCIE, CCDE

                                  The terms can definitely get confusing with how AAA works.  The "exec" process means the Command Line Interface (CLI) access to the router.  When you login the router wants to know a) can you access the exec process, and b) if so what privilege number or parser view should you get.   This is what the exec authorization does.

                                   

                                  The case where a user has a login but shouldn't be able to access the exec process would be like a VPN user.  You normally wouldn't want your users who VPN through the router to be able to telnet/SSH to the router and login with the same credentials.  In your case you want to login to the CLI, so you want your user to have exec authorization.

                                   

                                  As for the commands, the aaa authorization console is needed because the router does not check for authorization on the console by default.  This is a protection mechanism to make sure you don't lock yourself out of the router if the AAA server goes down or you make a misconfiguration.  The second one, aaa authorization exec [name] local tells the router that it should check for the user's privilege level in the local database.  This is where the username... privilege [num] command comes in.  The other alternative for this would be to check the RADIUS or TACACS server and have it assign the privilege level for the user.

                                  • 14. Re: AAA Tacacs
                                    david.dawn

                                    Totally awesome Brian.. thanks for clearing this up totally makes sense now..

                                     

                                    Cheers

                                    Dave

                                    1 2 Previous Next