AAA authentication (I am who I say I am) on the console works just fine. AAA
_authorization_ (I am allowed to perform this action) is NOT functional on the
console.
The authorization step is where you can have TACACS+ vet individual commands
before executing and similar tasks. In my previous life, I really just used it
to instant-enable senior NOC people (they got priv 15 on login) and to log
logins and changes and other things per-user.
On the broken AAA note - you should always think about what happens when AAA is
unavailable when designing your AAA strategy. It depends on what your goal is.
I felt I had reasonable physical security on the consoles. My goal was to have
accountability and change control, as well as being able to add and remove
support personnel from router access in a timely manner without having to change
passwords on every router in the network (>100).
We elected to implement TACACS+ as the first authentication method and leave our
old, single administrative user intact as a backup. We did not install this
single admin user in TACACS+. Since the order went tacacs, local, the router
would not fall-through to local, because TACACS+ positively responded with an
authentication failure (which is different from TACACS+ being unavailable). So,
this login would only work if it was needed, when the TACACS+ server was
unavailable. This kept everybody from abusing it by accident or finger-memory,
and everybody admin'ing the routers was trusted enough not to abuse it on
purpose (DoS the AAA server or something stupid to login). We changed the single
admin user password on a decently regular basis.
Jason Young
CNS - Network Design, Anheuser-Busch
(314)577-4597
> -----Original Message-----
> From: George Robbins [mailto:grr@shandakor.tharsis.com]
> Sent: Wednesday, March 28, 2001 1:56 PM
> To: bigeric123@hotmail.com; bri@sonicboom.org;
> cisco-nsp@puck.nether.net; Jason.Young@anheuser-busch.com
> Subject: Re: [nsp] tacas bugs ??
>
>
> Sounds like confusion to me - you want to add
>
> aaa authentication console ...
>
> The trick isn't getting aaa to work, it's getting to let you in
> when your router can't talk to the tacacs server. 8-)
>
> George
>
>
> > From cisco-nsp-request@puck.nether.net Wed Mar 28 14:31:56 2001
> > Resent-Date: Wed, 28 Mar 2001 12:06:45 -0500
> > Received-Date: Wed, 28 Mar 2001 12:04:35 -0500
> > From: "Brian" <bri@sonicboom.org>
> > To: "Young, Jason" <Jason.Young@anheuser-busch.com>,
> > "'eric chan'" <bigeric123@hotmail.com>,
> <cisco-nsp@puck.nether.net>
> > References: <DDF5392E0FB3D41196C10008C7D9AE5D02686464@STLABCEXG022>
> > Subject: Re: [nsp] tacas bugs ??
> > Date: Wed, 28 Mar 2001 09:02:35 -0800
> > Resent-From: cisco-nsp@puck.nether.net
> > X-Mailing-List: <cisco-nsp@puck.nether.net> archive/latest/5910
> > X-Loop: cisco-nsp@puck.nether.net
> > Precedence: list
> > Resent-Sender: cisco-nsp-request@puck.nether.net
> >
> > Just goes to show you that physical security is part of any
> security policy.
> >
> > Bri
> >
> > ----- Original Message -----
> > From: "Young, Jason" <Jason.Young@anheuser-busch.com>
> > To: "'eric chan'" <bigeric123@hotmail.com>;
> <cisco-nsp@puck.nether.net>
> > Sent: Wednesday, March 28, 2001 5:58 AM
> > Subject: RE: [nsp] tacas bugs ??
> >
> >
> > >
> > > AAA authorization is not applied to the console port. I
> ran into this
> > while
> > > configuring TACACS+ on all of our routers in my previous
> life. I forget
> > exactly
> > > what Cisco's rationalization for this is (something to do with
> > functionality in
> > > case the TACACS+ server fails), but it's documented in
> several places.
> > >
> > >
> >
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/s
> ecur
> > _c/scprt1/scauthor.htm#xtocid225285
> >
> > Jason Young
> > CNS - Network Design, Anheuser-Busch
> > (314)577-4597
> >
> >
> > > -----Original Message-----
> > > From: eric chan [mailto:bigeric123@hotmail.com]
> > > Sent: Wednesday, March 28, 2001 12:21 AM
> > > To: cisco-nsp@puck.nether.net
> > > Subject: [nsp] tacas bugs ??
> > >
> > >
> > > i have setup tacas with cisco router for access control
> > >
> > > aaa authentication login default group tacas line
> > > aaa authentication enable default group tacas enable
> > > aaa authorization command 15 default group tacas none.
> > >
> > > it works very well in telnet session. however, when i access
> > > via console,
> > > the authorization part failed, all user can type any
> > > command in enable
> > > mode. do you have any idea ?? is enable mode through console
> > > not useing
> > > level 15 ? thanks
> > >
> > >
> > >
> > > eric
> > > ______________________________________________________________
> > > ___________
> > > Get Your Private, Free E-mail from MSN Hotmail at
> > > http://www.hotmail.com.
> > >
> >
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:33 EDT