Scribd
Upload
14 views

AAA Configuration

The document discusses AAA configuration on a router including authentication, authorization, and accounting. Authentication controls login access, authorization controls which commands users can run, and accounting logs all user activity.

Uploaded by

Khoa Huynh Dang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
14 views

AAA Configuration

The document discusses AAA configuration on a router including authentication, authorization, and accounting. Authentication controls login access, authorization controls which commands users can run, and accounting logs all user activity.

Uploaded by

Khoa Huynh Dang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 37

AAA Configuration

Objects

 ACS configuration
 Authentication
 Authorization
 Accounting
ACS Configuration
ACS Configuration
Connecting the ACS server by HTTP

http://192.168.140.14:2002
ACS Configuration
ACS Configuration

The same with the key


on the AAA client
ACS Configuration
Authentication

R1#show running-config | section aaa


aaa new-model
aaa authentication login myauthen group tacacs+
aaa authentication login noauthen none

R1#show running-config | section tacacs-server


tacacs-server host 192.168.140.14 key cisco123
Authentication

R1#show running-config | begin line con


line con 0
exec-timeout 0 0
logging synchronous
login authentication noauthen
<..>
line vty 0 4
exec-timeout 0 0
logging synchronous
login authentication myauthen
Authentication

C:\>telnet 192.168.140.13
Username: user7
Password:

R1>enable
Password:
R1#
Authorization

R1#show running-config | section aaa


aaa new-model
aaa authorization exec myexec group tacacs+
aaa authorization commands 7 mycommand7 group tacacs+

R1#show running-config | section tacacs-server


tacacs-server host 192.168.140.14 key cisco123
Authorization

R1#show running-config | section privilege


privilege configure all level 7 router
privilege configure all level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Authorization

R1#show running-config | begin line con


line con 0
exec-timeout 0 0
logging synchronous
<..>
line vty 0 4
exec-timeout 0 0
authorization commands 7 mycommand7
authorization exec myexec
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization

C:\>telnet 192.168.140.13
Username:user7
Password:user7

R1#show running-config
Building configuration...

Current configuration : 230 bytes


!
boot-start-marker
boot-end-marker
!
interface Loopback0
no ip address
<..>
Authorization

R1#show privilege
Command authorization failed.

R1#show flash:
Command authorization failed.

R1#configure terminal
Command authorization failed.
Authorization
Authorization

R1#configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
Authorization
Authorization

R1(config)#interface ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
<..>

R1(config)#interface fastEthernet 0/1


R1(config-if)#ip add
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#

R1(config-if)#interface loopback 10
R1(config-if)#ip address 10.10.10.1 255.255.255.0
Can configure all interfaces with the full options ! Why ?
Authorization
Authorization

R1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing
Protocol (EIGRP)
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
<..>

R1(config)#router rip
R1(config-router)#network 1.0.0.0

R1(config)#router ospf 1
R1(config-router)#network 1.0.0.0 0.0.0.255 area 0
Can configure all routing protocols with the full options ! Why ?
Authorization

R1#show running-config | section aaa


aaa authorization config-commands
aaa authorization exec myexec group tacacs+
aaa authorization commands 7 mycommand7 group
tacacs+
Authorization

R1(config)#interface f0/1
R1(config-if)#ip address 1.1.1.1
255.255.255.0
Command authorization failed.
R1(config-if)#exit

R1(config)#interface loopback 10
Command authorization failed.
Authorization

R1(config)#int f0/1
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#no shutdown
Command authorization failed.
Authorization

R1(config)#router ospf 1
Command authorization failed.

R1(config)#router rip
R1(config-router)#network 1.0.0.0
Command authorization failed.
Authorization

R1(config)#router rip
R1(config-router)#network 1.0.0.0
R1(config-router)#redistribute static
Command authorization failed.
Accounting

R1#show running-config | section aaa


aaa accounting exec audit_exec start-stop
group tacacs+
aaa accounting commands 7 audit_command7
start-stop group tacacs+
Accounting

R1#show running-config | section vty


line vty 0 4
exec-timeout 0 0
accounting commands 7 audit_command7
accounting exec audit_exec
Accounting

C:\>telnet 192.168.140.13
Username:user7
Password:user7

R1(config)#interface loopback 1
R1(config-if)#

R1(config)#router rip
R1(config-router)#
Accounting
Accounting

You might also like