Pages

Monday, December 21, 2015

AAA(Authentication, Authorization and Accounting) Config

Terms:
Remote Authentication Dial In User Service
Terminal Access Controller Access Control System

Commands:
enable

Configure terminal

! Create a local admin for safety
! Note: for all production passwords! follow best practices for length
! and complexity
username admin privilege 15 secret cisco
username bob privilege 1 secret cisco

! Configure the privilege 15 secret
enable secret cisco

! Enable AAA
aaa new-model

! Specify where the AAA server is,
! and which protocol to use (TACACS+ in this case)
tacacs-server host 192.168.1.252

! Specify the Key to use for encryption
! between the client (this router) and the AAA
! TACACS+ server
tacacs-server key cisco123

! Create a default method list and specify that
! we want to try one of the AAA servers as our
! first method in the list, and then if that times
! out, we want to use the local database, and if the
! user isn't in the local database, require the
! enable secret for access
aaa authentication login default group tacacs+ local

! Create a custom method list, that if used,
! will have no authentication required at all
! (Just in the lab)
aaa authentication login FREE-BIRD none

! Lets apply the FREE-BIRD method list to the
! Console (to make it easy on me ;)
line console 0
login authentication FREE-BIRD

! (This method list applies only
! to the console 0).  The default will apply
! to the other Lines, such as VTY and AUX.
! Lets set up a couple authorization method lists
! We will use custom lists (not a default one)
! because we don't want this to apply everywhere
! (just on our VTY lines for this demo)
exit

aaa authorization commands 1 TAC1 group tacacs+ local
aaa authorization commands 15 TAC15 group tacacs+ local

! This next command is required for the IOS
! to check for authorization for commands
! issued within configuration mode
aaa authorization config-commands

! Lets create some accounting method lists as well
aaa accounting commands 1 TAC-act1 start-stop group tacacs+
aaa accounting commands 15 TAC-act15 start-stop group tacacs+

! Lets apply the authorization and accounting custom
! method lists just to the VTY lines
! Note: default login authentication method list
! already applies to these VTY lines
line vty 0 4
authorization commands 1 TAC1
authorization commands 15 TAC15
accounting commands 1 TAC-act1
accounting commands 15 TAC-act15

Simple test:

enable

conf t
enable secret cisco
aaa new-model
aaa authentication login default enable
do debug aaa authentication
do telnet 10.1.0.1


No comments:

Post a Comment