Skip to content

Instantly share code, notes, and snippets.

@derek-shnosh

derek-shnosh/aaa-explained-reddit.md

Last active September 19, 2024 16:07
Show Gist options
  • Save derek-shnosh/bc6de3333cbb9339f3ad3f3bdf6d7c0d to your computer and use it in GitHub Desktop.
Save derek-shnosh/bc6de3333cbb9339f3ad3f3bdf6d7c0d to your computer and use it in GitHub Desktop.
Download ZIP
AAA Explained - Reddit
Raw
aaa-explained-reddit.md

I'll step through the relevant commands from your config snippet.

Create a local user

This local admin user will be given priv-15 access if used for auth.

username admin privilege 15 secret 5 <encrypted password>

Create an AAA server group

Define TACACS servers into a group named TACACS_SERVERS. Configure the router/switch to source requests from the Lo0 interface... this is important to the TACACS server network device configuration.

aaa group server tacacs+ TACACS_SERVER
  server-private 1.1.1.1 key 7 <key1>
  server-private 1.1.1.2 key 7 <key2>
  ip tacacs source-interface Loopback0

Create an AAA authentication method named SSH

First attempts authentication via the TACACS_SERVER AAA server group, but fails back to local user authentication if the servers in the TACACS group are unreachable.

aaa authentication login SSH group TACACS_SERVER local

Create another AAA authentication method named CONSOLE

This login method requires no login. I prefer local here (in place of none), regardless of physical security. Worried about forgetting the local password? It's a non-issue with a well maintained password vault.

aaa authentication login CONSOLE none

Create an AAA authorization method named SSH

Authorize users for exec level access (enable) using the servers in the TACACS_SERVER group, fails back to local user authorization if the servers in the TACACS group are unreachable.

aaa authorization exec SSH group TACACS_SERVER local

Create an AAA accounting method

Send accounting messages to any/all configured tacacs+ servers on the router/switch. This should probably be group TACACS_SERVER to be more explicit.

aaa accounting system default start-stop group tacacs+

Configure the console port line parameters

  • login authentication CONSOLE references the CONSOLE AAA authentication method (which requires no login at all), so one can connect to the console port and get access without logging in.
line con 0
  logging synchronous
  login authentication CONSOLE
  stopbits 1

Configure VTY line parameters

You generally want to modify line configs with line vty 0 15. They'll still show in the running/startup configuration as separate groups, but you can apply the config to all available VTY lines that way.

  • transport input ssh means the VTY lines will only accept SSH requests (no telnet/etc).
  • exec-timeout defines how long an active VTY session will survive idle/no-input.
  • access-class uses an access-list to allow/deny SSH requests.
  • login authentication SSH says that the AAA authentication method named SSH will be used for user authentication; meaning that first it will try authentication via the servers in the TACACS_SERVER group, then fail back to local if they're unreachable.
  • authorization exec SSH says that the AAA authorization method named SSH will be used to authorize users for exec level access (enable); again, meaning that first it will try authorization via the servers in the TACACS_SERVER group, then fail back to local if they're unreachable.
line vty 0 4
  access-class net-mgmt-access in vrf-also
  exec-timeout 30 0
  authorization exec SSH
  logging synchronous
  login authentication SSH
  transport input ssh
line vty 5 15
  access-class net-mgmt-access in vrf-also
  exec-timeout 30 0
  transport input ssh

Further Reading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment