Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
5209 Views 28 Replies Latest reply: Nov 16, 2011 12:49 AM by david.dawn RSS 1 2 Previous Next

Currently Being Moderated

AAA Tacacs

Nov 10, 2011 4:07 AM

david.dawn 124 posts since
Dec 5, 2009

Hello..

 

Question : If you enable tacacs on a router/switch    that already had an  enable password configured on the device,  and you also create an new local account  with

privilege level 15 & then in the tacacs config tell the device to use local accounts for console access will the device still prompt for the enable password even though the account have  level 15 access.

The confing on the console is blank.

 

My understanding is all local username and password are ignored when  AAA new-model is enabled. you then created methods you want your device to use weather that is named method or a default method which is all lines.  The Tacacs below states for console use Local accout which mentioned above we have a level 15 account  for, however the old enable secret was still on the device and not been removed... what are you thoughts on this please as we had a disagreement within work. and I would like to understand this for myself as I studying this area.

 

The config below is the tacacs config.

 

aaa authentication login default group ACS-TACACS local

aaa authentication login CONSOLE local

 

Thanks.

  • Olushile Akintade CCIE R&S 80 posts since
    Mar 26, 2009
    Currently Being Moderated
    1. Nov 10, 2011 6:15 AM (in response to david.dawn)
    Re: AAA Tacacs

    My understanding is once you tie the CONSOLE group to the line cons 0, you can access via console using the username with privilege 15 and it will not ask you for the enable password. Since this dispute was at work, my advise is to use gns3 so that you can fully grasp how this works.

     

    Hope this helps!

  • Brian McGahan - 4 x CCIE, CCDE 645 posts since
    May 29, 2008
    Currently Being Moderated
    3. Nov 10, 2011 12:11 PM (in response to david.dawn)
    Re: AAA Tacacs

    You'll still need to use the enable password, even if the user is assigned to privilege level 15.  The reason why is that there is a difference in AAA between authentication and authorization.  Authentication is the username and password, while authorization is the privilege level.

     

    Take the following example.  R1 is configured for local authentication and authorization on the console, without AAA configured.  The result is that when the user logs in, not only are they authenticated, but they are authorized to privilege level 15.

     

     

    R1 con0 is now available
    
    Press RETURN to get started.
    
    
    
    User Access Verification
    
    Username: brian
    Password: 
    R1#show privilege
    Current privilege level is 15
    R1#show run | section user|line
    username brian privilege 15 password 0 cisco
    line con 0
     login local
    

     

    Now the configuration is changed to enable AAA, with AAA checking the local database for authentication.

     

     

    R1#config t
    Enter configuration commands, one per line.  End with CNTL/Z.
    R1(config)#aaa new-model
    R1(config)#aaa authentication login default local
    R1(config)#end
    R1#exit
    
    
    R1 con0 is now available
    
    Press RETURN to get started.
    
    %SYS-5-CONFIG_I: Configured from console by brian on console
    
    User Access Verification
    
    Username: brian
    Password: 
    
    R1>show privilege
    Current privilege level is 1
    R1>

     

    Even though the username entry still has the privilege level associated with it, the AAA process is not checking this.  To tell AAA to check this you need to enable exec authorization and console authorization, as follows:

     

     

    R1>enable
    R1#config t
    Enter configuration commands, one per line.  End with CNTL/Z.
    R1(config)#aaa authorization exec default local
    R1(config)#aaa authorization console      
    R1(config)#end
    R1#
    %SYS-5-CONFIG_I: Configured from console by brian on console
    R1#exit
    
    R1 con0 is now available
    
    Press RETURN to get started.
    
    User Access Verification
    
    Username: brian
    Password: 
    
    R1#show privilege
    Current privilege level is 15
    

     

    Now the user is authorized the privilege level 15, and doesn't have to issue the enable password or secret.

  • cadetalain 2,642 posts since
    Sep 18, 2008
    Currently Being Moderated
    4. Nov 10, 2011 12:14 PM (in response to david.dawn)
    Re: AAA Tacacs

    Hi,

     

    there is a free tacacs server available or the demo version of ACS for windows.

    here is the server for linux: http://www.shrubbery.net/tac_plus/

     

    Regards.

     

    Alain

  • Olushile Akintade CCIE R&S 80 posts since
    Mar 26, 2009
    Currently Being Moderated
    5. Nov 10, 2011 12:18 PM (in response to cadetalain)
    Re: AAA Tacacs

    Thanks for clearing that up Brian.

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: AAA Tacacs

    Hi Olushile

     

    Free for windows see https://learningnetwork.cisco.com/message/114586#114586

     

    Regards Conwyn

  • Olushile Akintade CCIE R&S 80 posts since
    Mar 26, 2009
    Currently Being Moderated
    7. Nov 10, 2011 1:32 PM (in response to Conwyn)
    Re: AAA Tacacs

    Great, thanks!

  • Brian McGahan - 4 x CCIE, CCDE 645 posts since
    May 29, 2008
    Currently Being Moderated
    10. Nov 10, 2011 4:51 PM (in response to david.dawn)
    Re: AAA Tacacs

    david.dawn wrote:

     

    Thanks very much mate, nice  understandble explanation.. it makes sense I completely overlooked this. we do have some authorisation commands in the device which are  

     aaa authorization configuration default group ACS-TACACS

    aaa authorization exec default group ACS-TACACS local

     

    which won't work in our set up because we want the console to use the local account and allow the priv level to be 15

     

    thanks again Brian.

    

     

    You can still do it, you just need to set the console to look for named lists for authentication and exec authorization.  Something like this will accomplish what you want:

     

    aaa authentication login CON_AUTHEN local
    aaa authorization console
    aaa authorization exec CON_AUTHOR local
    !
    !
    line con 0
     authorization exec CON_AUTHOR
     login authentication CON_AUTHEN
    
  • Brian McGahan - 4 x CCIE, CCDE 645 posts since
    May 29, 2008
    Currently Being Moderated
    13. Nov 12, 2011 6:56 AM (in response to david.dawn)
    Re: AAA Tacacs

    The terms can definitely get confusing with how AAA works.  The "exec" process means the Command Line Interface (CLI) access to the router.  When you login the router wants to know a) can you access the exec process, and b) if so what privilege number or parser view should you get.   This is what the exec authorization does.

     

    The case where a user has a login but shouldn't be able to access the exec process would be like a VPN user.  You normally wouldn't want your users who VPN through the router to be able to telnet/SSH to the router and login with the same credentials.  In your case you want to login to the CLI, so you want your user to have exec authorization.

     

    As for the commands, the aaa authorization console is needed because the router does not check for authorization on the console by default.  This is a protection mechanism to make sure you don't lock yourself out of the router if the AAA server goes down or you make a misconfiguration.  The second one, aaa authorization exec [name] local tells the router that it should check for the user's privilege level in the local database.  This is where the username... privilege [num] command comes in.  The other alternative for this would be to check the RADIUS or TACACS server and have it assign the privilege level for the user.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)