R1(config)#username vamsi password krishna
by default its saved in clear text format
Alternatives:
-----------
1) username vamsi secret cisco - enrypts with MD5 which is type 5
2)service password-encryption - converts all passwords on the box to type 7 encryption
and its reversible
Modes:
=====
exec --- R1#
config --- R1(config)#
interface --- R1(config-if)#
Without aaa:
=========
username vamsi privilege 5 password 0 cisco
line vty 0 4
login local
when logged in vamsi will have privilege of 5
With aaa:
======
1) aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
line vty 0 4
password starent
login authentication LOCAL_DATABASE
By default if vamsi is logged in he will have privilege of 1 at login level and 15 at exec level
2) To change the authorization of commands at different privileges when aaa new-model is enabled:
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+
aaa authorization commands 1 TACACS_AU group tacacs+
aaa authorization commands 15 TACACS_AU group tacacs+
line vty 0 4
password starent
authorization commands 0 TACACS_AU
authorization commands 1 TACACS_AU
authorization commands 15 TACACS_AU
authorization exec EXEC_AUTHOR
login authentication LOCAL_DATABASE
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: vamsi
Password:
R1>en
% Authorization failed
R1>show pri
% Authorization failed
To fix the above:
aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
aaa authorization config-commands
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+ none
aaa authorization commands 1 TACACS_AU group tacacs+ none
aaa authorization commands 15 TACACS_AU group tacacs+ none
line vty 0 4
password starent
authorization commands 0 TACACS_AU
authorization commands 1 TACACS_AU
authorization commands 15 TACACS_AU
authorization exec EXEC_AUTHOR
login authentication LOCAL_DATABASE
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: vamsi
Password:
R1>en
Password:
R1#show privilege
Current privilege level is 15
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#end
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
R1#
3) Moving the privileges.
Task: Vamsi to be assigned with privilege 5 and go to global and add ip to an interface
Normal process:
-->
R3#show running-config | sec vty|user
username pri password 0 cisco
line vty 0 4
login local
R1#telnet 20.1.1.2
Trying 20.1.1.2 ... Open
User Access Verification
Username: pri
Password:
R3#show run
^
% Invalid input detected at '^' marker.
R3#conf t
^
% Invalid input detected at '^' marker.
R3#show privilege
Current privilege level is 5
-->
R3(config)#privilege exec level 5 configure terminal
Commands added on run-config
privilege exec level 5 configure terminal
privilege exec level 5 configure
On Telnet
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface fa1/0
^
% Invalid input detected at '^' marker.
-->
R3(config)#privilege configure level 5 interface
On telnet
R3(config)#interface fa1/0
R3(config-if)#
R3(config-if)#ip address ?
% Unrecognized command
-->
R3(config)#privilege interface level 5 ip address
Commands added on run-config
privilege interface level 5 ip address
privilege interface level 5 ip
On Telnet
R3(config-if)#ip address 30.1.1.1 255.255.255.0
R3(config-if)#ipv6 address ?
% Unrecognized command
Role Bases Access List (logging in using Views instead of privilege)
----------------------
R2#show run | sec user|vty
aaa authorization exec default local
username infy view view1 password 0 cisco
parser view view1
secret 5 $1$u2AH$mvoK9aVion/jmSLpUW0B20
commands router include all network
commands configure include all router
commands exec include all show
commands exec include configure terminal
line vty 0 4
On Telnet:
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Username: infy
Password:
R2>show parser view
Current view is 'view1'
R2>show privi
Currently in View Context with view 'view1'
R2>show run
Building configuration...
Current configuration : 76 bytes
!
! Last configuration change at 21:05:21 UTC Wed Nov 4 2015
!
!
!
!
!
end
R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.1.1.2 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>end
^
% Invalid input detected at '^' marker.
R2(config)>exit
Change logging (Archiving):
---------------------------
-->R2#show running-config | sec archive
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
-->On Telnet:
R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>exit
R2>conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>
--> On Console:
R2#show archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | logging size 100
3 1 console@console | notify syslog
4 2 infy@vty0 |configure
Login Enhancements-Login Block:
------------------------------
"login block-for seconds attempts tries within seconds "
R2(config)#login block-for 30 attempts 2 within 10
If the configured number of connection attempts fail within a specified time period, the Cisco IOS device does not accept any additional connections for a “quiet period.” (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)
IOS Resilient Config:
----------------------
Used to prevent config or IOS image from being deleted
-> hides the config and IOS image on flash/nvram
-> 'secure boot-config' and 'secure boot-image'
LOCAL DATABSE
R1(config)#username CISCO privilege 15 password CISCO123 (sets username and password with privilege level 15 in LOCAL database)
R1(config)#username ADMIN privilege 7 password ADMIN123 (sets username and password with privilege level 7 in LOCAL database)
R1(config)#enable password CISCO123 (sets enable unencrypted password in LOCAL database)
R1(config)#enable password CISCO123 (sets enable unencrypted password in LOCAL database)
R1(config)#enable secret CISCO123 (sets enable encrypted password in LOCAL database)
ENABLE AAA
R1(config)#aaa new-model (enables aaa new model)
AAA TACACS/RADIUS CONFIG
R1(config)#tacacs-server host 150.100.220.20 (use TACACS+ server at the IP address 150.100.220.20)
R1(config)#radius-server host 150.100.220.21 (use Radius server at the IP address 150.100.220.21)
R1(config)#tacacs-server key CISCO (encrypts communication between R1 and TACACS with password CISCO)
R1(config)#radius-server key CISCO (encrypts communication between R1 and RADIUS with password CISCO)
R1(config)#ip tacacs source-interface loopback 0 (sources TACACS packets from the Loopback 0 interface)
R1(config)#ip radius source-interface loopback 0 (sources Radius packets from the Loopback 0 interface)
AAA CUSTOMIZATION
R1(config)#aaa authentication password-prompt “Password Required” (creates custom prompt password message)
R1(config)#aaa authentication userame-prompt “Username Required” (creates custom prompt username message)
R1(config)#aaa authentication banner # (creates custom banner message)
Enter TEXT message. End with the character ‘#’.
This system requires authentication#
R1(config)#aaa authentication fail-message # (creates custom authetication failed message)
Enter TEXT message. End with the character ‘#’.
Authentication Failed , try again#
AAA AUTHENTICAION
R1(config)#aaa authentication login CONSOLE local (configures router to use LOCAL database authentication)
R1(config)#aaa authentication login VTY group tacacs+ local (configures router to first use TACAcs and then local database)
R1(config)#aaa authentication login VTY group tacacs+ local-case (configures router to first use TACAcs and then local database, same as local but makes password case sensitive)
R1(config)#aaa authentication login VTY group tacacs+ line (configures router to first use TACAcs and then line database, make sure password is set under line vty)
R1(config)#aaa authentication enable default group tacacs+ none (privilege mode will be authenticated first against TACACS+ then it’ll fall back to no authentication)
R1(config)#aaa authentication attempts login 3 (specifies number of valid login attempts)
R1(config)#aaa authentication ppp default group tacacs+ group radius local none (for all PPP authentication request use TACACS then RADIUS then LOCAL then NONE authen method)
LINE PORTS
R1(config)#line con 0
R1(config-line)#login authentication CONSOLE (login to consolse as specified under aaa CONSOLE statement above)
R1(config)#line vty 0 15
R1(config-line)#login authentication VTY (login to vty as specified under aaa VTY statement above)
R1(config-line)#password CISCO (login to vty — see above aaa VTY second statement)
AAA AUTHORIZATION
R1(config)#aaa authorization console (enables console authorization)
R1(config)#aaa authorization exec CONSOLE group tacacs+ local (console line should authorize users with TACACS then LOCAL database)
R1(config)#aaa authorization exec VTY group tacacs+ if-authenticated (authorises any authenticated users if TACASE server fails)
DIFFERENCE BETWEEN NONE AND IF-AUTHENTICATED METHODS:
EXAMPLE 1
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default none
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router will allow incoming connections
EXAMPLE2
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default if-authenticated
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router grants access but fails authorization
LINE PORTS
R1(config)#line con 0
R1(config-line)#authorization exec CONSOLE (ensure the console line is authorized, see above aaa config)
by default its saved in clear text format
Alternatives:
-----------
1) username vamsi secret cisco - enrypts with MD5 which is type 5
2)service password-encryption - converts all passwords on the box to type 7 encryption
and its reversible
Modes:
=====
exec --- R1#
config --- R1(config)#
interface --- R1(config-if)#
Without aaa:
=========
username vamsi privilege 5 password 0 cisco
line vty 0 4
login local
when logged in vamsi will have privilege of 5
With aaa:
======
1) aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
line vty 0 4
password starent
login authentication LOCAL_DATABASE
By default if vamsi is logged in he will have privilege of 1 at login level and 15 at exec level
2) To change the authorization of commands at different privileges when aaa new-model is enabled:
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+
aaa authorization commands 1 TACACS_AU group tacacs+
aaa authorization commands 15 TACACS_AU group tacacs+
line vty 0 4
password starent
authorization commands 0 TACACS_AU
authorization commands 1 TACACS_AU
authorization commands 15 TACACS_AU
authorization exec EXEC_AUTHOR
login authentication LOCAL_DATABASE
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: vamsi
Password:
R1>en
% Authorization failed
R1>show pri
% Authorization failed
To fix the above:
aaa new-model
aaa authentication login LOCAL_DATABASE group tacacs+ local
aaa authorization config-commands
aaa authorization exec EXEC_AUTHOR group tacacs+ local
aaa authorization commands 0 TACACS_AU group tacacs+ none
aaa authorization commands 1 TACACS_AU group tacacs+ none
aaa authorization commands 15 TACACS_AU group tacacs+ none
line vty 0 4
password starent
authorization commands 0 TACACS_AU
authorization commands 1 TACACS_AU
authorization commands 15 TACACS_AU
authorization exec EXEC_AUTHOR
login authentication LOCAL_DATABASE
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: vamsi
Password:
R1>en
Password:
R1#show privilege
Current privilege level is 15
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#end
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.1.1.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
R1#
3) Moving the privileges.
Task: Vamsi to be assigned with privilege 5 and go to global and add ip to an interface
Normal process:
-->
R3#show running-config | sec vty|user
username pri password 0 cisco
line vty 0 4
login local
R1#telnet 20.1.1.2
Trying 20.1.1.2 ... Open
User Access Verification
Username: pri
Password:
R3#show run
^
% Invalid input detected at '^' marker.
R3#conf t
^
% Invalid input detected at '^' marker.
R3#show privilege
Current privilege level is 5
-->
R3(config)#privilege exec level 5 configure terminal
Commands added on run-config
privilege exec level 5 configure terminal
privilege exec level 5 configure
On Telnet
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface fa1/0
^
% Invalid input detected at '^' marker.
-->
R3(config)#privilege configure level 5 interface
On telnet
R3(config)#interface fa1/0
R3(config-if)#
R3(config-if)#ip address ?
% Unrecognized command
-->
R3(config)#privilege interface level 5 ip address
Commands added on run-config
privilege interface level 5 ip address
privilege interface level 5 ip
On Telnet
R3(config-if)#ip address 30.1.1.1 255.255.255.0
R3(config-if)#ipv6 address ?
% Unrecognized command
Role Bases Access List (logging in using Views instead of privilege)
----------------------
R2#show run | sec user|vty
aaa authorization exec default local
username infy view view1 password 0 cisco
parser view view1
secret 5 $1$u2AH$mvoK9aVion/jmSLpUW0B20
commands router include all network
commands configure include all router
commands exec include all show
commands exec include configure terminal
line vty 0 4
On Telnet:
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Username: infy
Password:
R2>show parser view
Current view is 'view1'
R2>show privi
Currently in View Context with view 'view1'
R2>show run
Building configuration...
Current configuration : 76 bytes
!
! Last configuration change at 21:05:21 UTC Wed Nov 4 2015
!
!
!
!
!
end
R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.1.1.2 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>end
^
% Invalid input detected at '^' marker.
R2(config)>exit
Change logging (Archiving):
---------------------------
-->R2#show running-config | sec archive
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
-->On Telnet:
R2>conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)>exit
R2>conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R2>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
R2>
--> On Console:
R2#show archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | logging size 100
3 1 console@console | notify syslog
4 2 infy@vty0 |configure
Login Enhancements-Login Block:
------------------------------
"login block-for seconds attempts tries within seconds "
R2(config)#login block-for 30 attempts 2 within 10
If the configured number of connection attempts fail within a specified time period, the Cisco IOS device does not accept any additional connections for a “quiet period.” (Hosts that are permitted by a predefined access-control list [ACL] are excluded from the quiet period.)
IOS Resilient Config:
----------------------
Used to prevent config or IOS image from being deleted
-> hides the config and IOS image on flash/nvram
-> 'secure boot-config' and 'secure boot-image'
LOCAL DATABSE
R1(config)#username CISCO privilege 15 password CISCO123 (sets username and password with privilege level 15 in LOCAL database)
R1(config)#username ADMIN privilege 7 password ADMIN123 (sets username and password with privilege level 7 in LOCAL database)
R1(config)#enable password CISCO123 (sets enable unencrypted password in LOCAL database)
R1(config)#enable password CISCO123 (sets enable unencrypted password in LOCAL database)
R1(config)#enable secret CISCO123 (sets enable encrypted password in LOCAL database)
ENABLE AAA
R1(config)#aaa new-model (enables aaa new model)
AAA TACACS/RADIUS CONFIG
R1(config)#tacacs-server host 150.100.220.20 (use TACACS+ server at the IP address 150.100.220.20)
R1(config)#radius-server host 150.100.220.21 (use Radius server at the IP address 150.100.220.21)
R1(config)#tacacs-server key CISCO (encrypts communication between R1 and TACACS with password CISCO)
R1(config)#radius-server key CISCO (encrypts communication between R1 and RADIUS with password CISCO)
R1(config)#ip tacacs source-interface loopback 0 (sources TACACS packets from the Loopback 0 interface)
R1(config)#ip radius source-interface loopback 0 (sources Radius packets from the Loopback 0 interface)
AAA CUSTOMIZATION
R1(config)#aaa authentication password-prompt “Password Required” (creates custom prompt password message)
R1(config)#aaa authentication userame-prompt “Username Required” (creates custom prompt username message)
R1(config)#aaa authentication banner # (creates custom banner message)
Enter TEXT message. End with the character ‘#’.
This system requires authentication#
R1(config)#aaa authentication fail-message # (creates custom authetication failed message)
Enter TEXT message. End with the character ‘#’.
Authentication Failed , try again#
AAA AUTHENTICAION
R1(config)#aaa authentication login CONSOLE local (configures router to use LOCAL database authentication)
R1(config)#aaa authentication login VTY group tacacs+ local (configures router to first use TACAcs and then local database)
R1(config)#aaa authentication login VTY group tacacs+ local-case (configures router to first use TACAcs and then local database, same as local but makes password case sensitive)
R1(config)#aaa authentication login VTY group tacacs+ line (configures router to first use TACAcs and then line database, make sure password is set under line vty)
R1(config)#aaa authentication enable default group tacacs+ none (privilege mode will be authenticated first against TACACS+ then it’ll fall back to no authentication)
R1(config)#aaa authentication attempts login 3 (specifies number of valid login attempts)
R1(config)#aaa authentication ppp default group tacacs+ group radius local none (for all PPP authentication request use TACACS then RADIUS then LOCAL then NONE authen method)
LINE PORTS
R1(config)#line con 0
R1(config-line)#login authentication CONSOLE (login to consolse as specified under aaa CONSOLE statement above)
R1(config)#line vty 0 15
R1(config-line)#login authentication VTY (login to vty as specified under aaa VTY statement above)
R1(config-line)#password CISCO (login to vty — see above aaa VTY second statement)
AAA AUTHORIZATION
R1(config)#aaa authorization console (enables console authorization)
R1(config)#aaa authorization exec CONSOLE group tacacs+ local (console line should authorize users with TACACS then LOCAL database)
R1(config)#aaa authorization exec VTY group tacacs+ if-authenticated (authorises any authenticated users if TACASE server fails)
DIFFERENCE BETWEEN NONE AND IF-AUTHENTICATED METHODS:
EXAMPLE 1
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default none
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router will allow incoming connections
EXAMPLE2
R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default if-authenticated
R1(config)#line con 0
R1(config-line)#privilege level 15
If TACACS server is not available the router grants access but fails authorization
LINE PORTS
R1(config)#line con 0
R1(config-line)#authorization exec CONSOLE (ensure the console line is authorized, see above aaa config)
No comments:
Post a Comment