Section 7.0: AAA
7.1: AAA on the Router
Configure AAA on R4 to use the TACACS+ server.
Configure authentication, EXEC authorization, and command-level 1/10/15 authorization.
Move the show running-config command to level 10 for user1 to be able to invoke it.
Configure fallback to local in the event the AAA server goes down.
Make sure you use a named method list and apply it to vty lines. Do not configure any authentication or authorization for console or auxiliary ports, or you will lose all marks.
Use the following example to configure all of the above.
Configure ACS with two users as follows.
Configure CiscoSecure ACS users above with corresponding privilege levels, so when they log in, they land in enable mode and don't need to enter enable. You need to configure exec authorization to achieve this task. Refer to Figure 1-6 for user1 and Figure 1-7 for user2 profile settings on ACS.
aaa new-model aaa authentication login vtyline group tacacs+ local aaa authentication login con-none none aaa authorization exec vtyexec group tacacs+ local aaa authorization exec conexec none aaa authorization commands 1 comm1 group tacacs+ local aaa authorization commands 1 comm-con-none none aaa authorization commands 10 comm10 group tacacs+ local aaa authorization commands 10 comm-con-none none aaa authorization commands 15 comm15 group tacacs+ local aaa authorization commands 15 comm-con-none none ! username user1 privilege 10 password 7 044E18031D70 username user2 privilege 15 password 7 13100417195E ! privilege exec level 10 show run privilege exec level 15 show! line con 0 exec-timeout 0 0 authorization commands 1 comm-con-none authorization commands 10 comm-con-none authorization commands 15 comm-con-none authorization exec conexec login authentication con-none line aux 0 authorization commands 1 comm-con-none authorization commands 10 comm-con-none authorization commands 15 comm-con-none authorization exec conexec login authentication con-none line vty 0 4 authorization commands 1 comm1 authorization commands 10 comm10 authorization commands 15 comm15 authorization exec vtyexec login authentication vtyline ! end
User1 with privilege level 10 and permit the show run command. See Figure 1-6 for user settings on CiscoSecure ACS.
User2 with privilege level 15 with all commands permitted. See Figure 1-7 for user settings on CiscoSecure ACS.
Figure 1-61 User1 Settings on CiscoSecure ACS
Figure 1-7 User2 Settings on CiscoSecure ACS
7.2: AAA on PIX
Configure TACACS+ authentication and authorization for Telnet service on PIX (refer to the example that follows item 3).
Configure static translation for Loopback1 of R6. (Refer to the example that follows item 3 to configure the PIX.)
Configure username r6telnet on ACS with Per User Command Authorization set to permit Telnet service for R6 Loopback1 only. Refer to Figure 1-8 for r6telnet profile settings on ACS.
pix# show aaa aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ACS aaa authorization include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ACS pix# pix# show aaa-server aaa-server ACS (inside) host 192.168.6.6 cisco timeout 10 pix# pix(config)# show access-list outside access-list outside permit tcp any host 10.50.31.6 eq tacacs (hitcnt=103) access-list outside permit tcp any host 18.104.22.168 eq telnet (hitcnt=7) pix(config)# show static static (inside,outside) 22.214.171.124 126.96.36.199 netmask 255.255.255.255 0 0 ! Login capture from R3 telnetting to R6 loopback1: r3#telnet 188.8.131.52 Trying 184.108.40.206 ... Open Username: r6telnet Password: r6telnet User Access Verification Password: r6>en Password: r6# r6# ! After successfully logging on to R6, confirm that ! authentication/authorization is working on pix; pix# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 1 user 'r6telnet' at 10.50.31.2, authorized to: port 220.127.116.11/telnet absolute timeout: 0:05:00 inactivity timeout: 0:00:00
Figure 1-8 r6telnet Settings on CiscoSecure ACS
If Shell Command Authorization Set does not appear in User Setup in ACS, go to Interface Configuration and select TACACS+ and tick the User column for Shell (exec). See Figure 1-9.
Figure 1-9 Interface Configuration on ACS
The Reports and Activity section in CiscoSecure ACS is very useful for troubleshooting. Verify FAILED/PASSED attempts in Reports, as shown in Figure 1-10.
Figure 1-10 Reports and Activity in ACS