From: Tony Huang (thuang@xxxxxxxxxxxxxxxxxxx)
Date: Sun Jul 07 2002 - 22:19:43 GMT-3
The attached was removed by mail server, so copy it here:
Cisco ACS AAA configuration Example Using TACACS+
1. Enable a user to login the router and modify configuration
On the router
**********************************
aaa new-model
aaa authentication login default tacacs+ local
aaa authorization exec default tacacs+ local
On ACS
Step1: Select group setup button and edit the default group settings.
Step2: Jump to TACACS+ settings; select Shell (exec) service
Login process:
Username: huangt
Password:
c1600>en
Password:
c1600#
2. Configure a super user to manage the router
********************************************
On router:
aaa new-model
aaa authentication login default tacacs+ local
aaa authorization exec default tacacs+ local
aaa authorization commands 15 cfg tacacs+ local
On ACS:
Step1: Select Group Setup and rename a group to cfg
Step2: On TACSCS+ Settings, Check the options Shell(exec), Privilege level
and set the level to 15
Step3: Select User Setup button and add the user to goup cfg by selecting
cfg on the dropdown menu.
Login example:
Username: huangt
Password:
c1600#
3. Use ACS database as enable password
aaa new-model
aaa authentication login default tacacs+ local
aaa authentication enable default tacacs+
aaa authorization exec default tacacs+ local
This way, users that are not assigned to privilege 15 group are not allowed
to login as a supervisor, even though issued local enable password.
However, user can login as a supervisor on the console. The workaround is to
configure enable password by editing the user profile.
Step1: Edit the user profile and go to Advance TACACS+ Settings
Step2: select Max Privilege for any AAA Client and set it to be level 15
Step3: Choose the enable password. There are three options:
!$ Use CiscoSecure PAP password. Select this option to use the
information configured in the Password Authentication section above.
!$ Use external database password. Select this option and click the
database whose password is to be used.
!$ Use separate password. Select this option and type and confirm a
control password for this user. This password is used in addition to the
regular authentication.
In this case, I select Use external database password.
4. Allow the user from a specific address to access the router while
block access via other addresses
1. Edit the user profile that you want to restrict.
2. Select the Define IP-based access restrictions check box.
3. From the Table Defines list, select either Permitted Calling/Point
of Access Locations.
4. Type or select the applicable information in the following fields:
!$ Access Device. Select All Devices or the name of the AAA client or
network device group to permit or deny access to. In this case, we select
c1600.
!$ Port. Type the restricted port number of the access device or
network device group. You can use the wildcard asterisk (*) to permit or
deny access to all ports on the selected AAA client. In this case, we use
*, because the source port could vary.
!$ Address.Type the restricted IP address. You can enter multiple
entries separated by a comma or use the wildcard asterisk (*). For example,
10.2.2.42
Then the user can only access c1600 for address 10.2.2.42.
Cisco ACS AAA configuration Example Using Radius
Example1: Allow one domain user login as root while deny other user login as
superuser
On the router:
aaa new-model
aaa authentication login default radius local
aaa authorization exec default radius local
radius-server host 10.2.3.208 auth-port 1645 acct-port 1646
radius-server key ciscorule
On the server:
Step1: Add a group cfg and jump to IETF RADIUS Attributes
Step2: On the Service-Type list, select Framed
Step3: On the Framed-protocol list, select PPP
Step4: Edit a group cfg, select service type NAS Prompt
Step5: Edit the user that you want to be root and set the service type to be
Administrative.
This way, the specific user will login as root after her/his domain password
is issued. The other users will not be able to login to the router and only
user PPP service.
If we want to allow some users to login to router to do daily checking, we
may create another group providing NAS Prompt service while forbidden its
ability to be root. And we will have to change the configuration on the
router to be as following:
aaa new-model
aaa authentication login default radius local
aaa authentication enable default radius
aaa authorization exec default radius local
radius-server host 10.2.3.208 auth-port 1645 acct-port 1646
radius-server key ciscorule
A complete configuration:
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C1600
!
aaa new-model
aaa authentication login default radius local
aaa authentication login no_ra none
aaa authorization exec default radius local
aaa authorization exec no_ra none
aaa accounting exec default start-stop radius
enable password 7 11580E1144011F
!
username tony password 7 051F031C350C
ip subnet-zero
!
!
!
interface Ethernet0
ip address 10.2.2.43 255.255.252.0
no ip directed-broadcast
!
ip classless
!
radius-server host 10.2.3.208 auth-port 1645 acct-port 1646
radius-server key rut0k
!
line con 0
exec-timeout 0 0
authorization exec no_ra /* to bypass AAA and use local database for
authen */
login authentication no_ra
transport input none
line vty 0 4
!
end
DISCLAIMER: This e-mail and any files transmitted with it may contain informati
on
that is confidential and privileged and is intended only for the use of the ind
ividual
or entity named above. If you are not the intended recipient of this message, y
ou
are hereby notified that any use, dissemination, distribution or reproduction o
f this
e-mail is strictly prohibited. If you have received this e-mail in error, pleas
e notify
TD Waterhouse Investor Services Limited ABN 41 010 488 687 immediately by
return e-mail or telephone +61 2 9994 9000 and destroy the original message.
The content and opinions contained in this e-mail are not necessarily those of
TD
Waterhouse. TD Waterhouse is a member of the Australian Stock Exchange Limited.
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:21 GMT-3