- Details
-
Category: tomz.pl
-
Created on Wednesday, 03 February 2016 22:12
-
Written by Tomasz Zdunek
Below you can find configuration for the AAA authentication for follwing Cisco devices:
-
Cisco Nexus - NXOS
-
Cisco XR 9002 - IOS XR
-
Cisco Switches - IOS
Sessions like SSH will be authenicated against the remote credentials (TACACS server), but console will use local password for emergency access when required. The full AAA will be also activated, which means check credentials, check priviledges to execute commands and log the commands.
-
Cisco NXOS
ip tacacs source-interface <INTERFACE>
tacacs-server host <TACACS_SERVER-1> key 0 <password> timeout 5
tacacs-server host <TACACS_SERVER-2> key 0 <password> timeout 5
aaa group server tacacs+ TACACS_SERVERS
server <TACACS_SERVER-1>
server <TACACS_SERVER-2>
use-vrf management
!
ip access-list VTY_ALLOWED_HOSTS_IN
10 remark Access SSH from MY COMPUTER
20 permit tcp 192.168.1.100/32 any eq 22
!
aaa authentication login default group TACACS_SERVERS
aaa authentication login console local
aaa authorization config-commands default group TACACS_SERVERS local
aaa authorization commands default group TACACS_SERVERS local
aaa accounting default group TACACS_SERVERS local
aaa authentication login error-enable
!
line console
exec-timeout 5
speed 38400
line vty
access-class VTY_ALLOWED_HOSTS_IN in
!
-
Cisco IOS XR
tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf mngt
tacacs-server host <TACACS_SERVER-1> port 49
key <password>
!
tacacs-server host <TACACS_SERVER-2> port 49
key <password>
!
aaa accounting exec default start-stop group TACACS_SERVERS none
aaa accounting system default start-stop group TACACS_SERVERS none
aaa accounting commands default start-stop group TACACS_SERVERS none
aaa group server tacacs+ TACACS_SERVERS
vrf <VRF-NAME>
server-private <TACACS_SERVER-1> port 49
key <password>
!
server-private <TACACS_SERVER-2> port 49
key <password>
!
!
aaa authorization exec console local
aaa authorization exec default group TACACS_SERVERS local
aaa authorization commands console none
aaa authorization commands default group TACACS_SERVERS none
aaa authentication login console local
aaa authentication login default group TACACS_SERVERS local
!
ipv4 access-list VTY_ALLOWED_HOSTS_IN
10 remark Access SSH from MY COMPUTER
20 permit tcp host 192.168.1.100 any eq ssh
exit
!
line console
authorization exec console
authorization commands console
login authentication console
exec-timeout 5 0
transport output none
exit
!
line default
authorization exec default
authorization commands default
exec-timeout 30 0
access-class ingress VTY_ALLOWED_HOSTS_IN
transport input ssh
transport output none
exit
!
vty-pool default 0 99 line-template default
-
Cisco IOS
aaa new-model
aaa group server tacacs+ TACACS_SERVERS
server <TACACS_SERVER-1>
server <TACACS_SERVER-2>
ip vrf forwarding <VRF_NAME>
ip tacacs source-interface <INTERFACE>
!
tacacs-server host <TACACS_SERVER-1> timeout 5 key 0 <password>
tacacs-server host <TACACS_SERVER-2> timeout 5 key 0 <password>
!
aaa authentication password-prompt "LOCAL Password: "
aaa authentication username-prompt "LOCAL Username: "
aaa authentication login default group TACACS_SERVERS local
aaa authentication login CONSOLE local
aaa authentication enable default group TACACS_SERVERS none
aaa session-id common
!
aaa authorization config-commands
aaa authorization exec default group TACACS_SERVERS local
aaa authorization commands 0 default group TACACS_SERVERS if-authenticated
aaa authorization commands 1 default group TACACS_SERVERS if-authenticated
aaa authorization commands 15 default group TACACS_SERVERS if-authenticated
!
aaa accounting send stop-record authentication failure vrf <VRF_NAME>
aaa accounting exec default start-stop group TACACS_SERVERS
aaa accounting commands 0 default start-stop group TACACS_SERVERS
aaa accounting commands 1 default start-stop group TACACS_SERVERS
aaa accounting commands 15 default start-stop group TACACS_SERVERS
aaa accounting connection default start-stop group TACACS_SERVERS
aaa accounting system default start-stop group TACACS_SERVERS
!
