A breakdown of what is required for tacacs user auth on an AAP.
aaa new-model
aaa authentication login LOGIN group tac_users local
aaa authentication enable default group tac_users enable
aaa authorization exec LOGIN group tac_users local
(used LOGIN in this case as there was a requirement to use non default auth list)
aaa group server tacacs+ tac_users server 10.10.210.5
tacacs-server host 10.10.210.5 key 7 08285C4B1109000506
ip http authentication aaa login-authentication LOGINip http authentication aaa exec-authorization LOGIN
(define HTTP authentication lists)
line vty 0 4
authorization exec LOGIN login authentication LOGIN transport input ssh
(define VTY line attributes)
ACS
Configure NAS
Interface Configuration - Advanced options
Select user options if required
Edit TACACS+,add shell and advanced options
Under User or Group, Set Max privilege to 15, Use Ciscosecure PAP password under enable
Set per user command auth
Permit unmatched in no specific commands required
No comments:
Post a Comment