RE: AAA Implementation

From: Shahid Mushtaq <bxperts_at_gmail.com>
Date: Wed, 25 Jan 2012 19:46:26 +0300

Brian thank you for your guidance.

It worked perfectly and helped me to solve lot of confusions.

Regards,
Shahid

-----Original Message-----
From: Brian McGahan [mailto:bmcgahan_at_ine.com]
Sent: Tuesday, January 24, 2012 7:46 PM
To: Shahid Mushtaq; ccielab_at_groupstudy.com
Subject: RE: AAA Implementation

You'll need the RADIUS server to do exec authorization to assign the users
to privilege level 15 then. The config would look like this:

aaa new-model
aaa authentication login AUTHGROUP radius local aaa authorization exec
AUTHGROUP radius local aaa authentication enable default enable !
enable password XXXX
username ABC privilege 1 password XYZ
radius-server host 10.1.1.1
radius-server key XXXX
!
line vty 0 4
 login authentication AUTHGROUP
 authorization exec AUTHGROUP
 
Then for the user's settings on the radius server under the cisco-avpair add
"shell:priv-lvl=15"

What this will do is that if the user authenticates and the RADIUS server is
available it will authorize them to privilege level 15 automatically. If
the RADIUS server is unavailable it with authorize them locally to privilege
level 1, and then if they want to get to privilege 15 they'll have to use
the regular enable password.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com
 
Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Shahid Mushtaq
Sent: Tuesday, January 24, 2012 1:45 AM
To: ccielab_at_groupstudy.com
Subject: AAA Implementation

Dears,

 

I have setup the AAA authentication with Radius Server which is working for
telnet sessions but wants to tune in the following way.

 

Ask for "Enable password" only when the radius server is not available.

 

I have the following configs

 

======================================

aaa new-model

aaa authentication login AUTHGROUP radius local

aaa authentication enable default none

 

enable password XXXX

username ABC privilege 15 password XYZ

radius-server host 10.1.1.1

radius-server key XXXX

 

line vty 0 4

login authentication AUTHGROUP

========================================

 

 

Regards,

 

Shahid

Blogs and organic groups at http://www.ccie.net
Received on Wed Jan 25 2012 - 19:46:26 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:52 ART