[c-nsp] TACACS+ exec authorisation no working on Cisco 2960CG

Rich Lewis RLewis at sis.tv
Wed Jul 30 15:01:20 EDT 2014


Am I correct in thinking that none of this fancy enable authentication, authorization and accounting stuff is available if you use RADIUS rather than TACACS+?

And if so, is there a way (that people are happy implementing) to get TACACS+ without buying Cisco ACS or ISE? (Don't expect you to answer this bit Javier! ;-)

Thanks
Rich.


> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Javier
> Henderson (javier)
> Sent: 30 July 2014 17:31
> 
> Since you have “aaa authorization exec …” in your config, the privilege level for the
> users could be assigned by the TACACS+ server, then the users would get that
> upon log-in rather than having to type enable and enter a password.
> 
> You may want to add command accounting, to keep an audit trail of commands
> executed on your IOS devices:
> 
> aaa accounting commands 1 default start-stop group tacacs+ aaa accounting
> commands 15 default start-stop group tacacs+

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Andrew Wentzell
> Sent: 30 July 2014 14:48
>
> You will need to add something like:
> 
>   aaa authentication enable default group tacacs+ enable
>
> You will also most likely want to add, at a minimum:
> 
>   aaa authorization config-commands
>   aaa authorization commands 15 default group tacacs+ local if-authenticated
> 
> AAA configuration is non-intuitive to say the least.


**********************************************************************

Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307 

The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system. 

**********************************************************************



More information about the cisco-nsp mailing list