dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level

Notice

If the switches are IOS-based ones, then you can implement AAA command set in the following FAQ since the sets are applicable to any IOS-based Cisco devices including switches.

»Cisco Forum FAQ »Securing access to routers with AAA commands

When the switches are Catalyst-OS based, then you can implement the following command set that would provide similar effect to the Sample #3 of the FAQ.

AAA command set with external TACACS server

set password [ENTER LOGIN PASSWORD HERE]
set enablepass [ENTER ENABLE PASSWORD HERE]
!
#Local User
set localuser user [ENTER USERNAME HERE] password [ENTER YOUR PASSWORD HERE] privilege [ENTER PRIVILEGE LEVEL HERE]
!
#tacacs+
set tacacs server [ENTER TACACS+ SERVER IP ADDRESS HERE] primary
set tacacs key [ENTER TACACS+ SERVER AUTHENTICATING KEY HERE]
!
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login tacacs enable http primary
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs enable http primary
!
#authorization
set authorization exec enable tacacs+ none console
set authorization exec enable tacacs+ none telnet
set authorization commands enable enable tacacs+ none console
set authorization commands enable enable tacacs+ none telnet
!
#accounting
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting commands enable enable stop-only tacacs+

Notes:

* When the TACACS+ server fails or is unreachable, local credential is used as backup.
* The sample configuration uses the "telnet" parameter which applies to both telnet and ssh remote access since there is no specific "ssh" parameter

Expand got feedback?

by aryoba See Profile
last modified: 2009-06-10 15:22:56