Tonight was a little AAA action (authorization, authentication, accounting). Luckily I set up a TACACS+ server a couple of weeks back, and did the configs on our switches at work as well. This basically gives an extra layer of security in that you are authenticating users to a remote database, and you can granularly assign them permissions on the devices (if needed). One of the best aspecs is that you can actually hold people accountable for their actions! Yep, you can actually tell your devices to log every command a user runs. Radius is a little more limited in its authorization actions, but is still a pretty good measure of remote authentication for your cisco devices.
Here are some basic commands:
(config)aaa new-modes (enable the new aaa model on your device)
(config)radius-server host [ip address] [extra options]
(config)tacacs-server host [ip address] [extra options]
...you probably are going to have some "keys" to program in as well (check ios help)
(config)aaa authentication login default group tacacs+ radius (this will tell your device to authenticate incoming users to the default list...using first the tacacs+ server, then the radius server if needed)
(config-line)login authentication default (points your "line" items to the default list for authentication)
I wont go into it here, but you then go into a bit more depth with authorization and accounting with the commands:
(config) aaa accounting [options]
(config) aaa authorization [options]
No comments:
Post a Comment