Info

Configure the AAA fallback method to local and configure a local username on both switches.

Configure a separate method list that does not authenticate or authorize, and apply it to the Console port.

Configure username switch-user password cisco in ACS and configure Attribute 6 Service Type=Login. See Figure 4-8 for ACS configuration.

Figure 4-8. User switch-user Settings on ACS

Figure 4-8. User switch-user Settings on ACS

Verify by Telnetting from any router to both switches' Management IP. See Example 4-36.

Configure accounting for Exec. See Example 4-37 for good accounting debugs. You may also verify on ACS RADIUS Accounting report. See Figure 4-9.

Figure 4-9. Accounting Reports on ACS

For more information on configuring switch access with RADIUS, refer to the following URL:

www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/swauthen.htm#1091098 Example 4-35. AAA Configuration on Switch1 and Switch2

!Snip from Switch1 config hostname Switch1 !

aaa new-model aaa authentication login vty group radius local aaa authentication login con none aaa authorization exec vty group radius local aaa authorization exec con none aaa accounting exec vty start-stop group radius enable password cisco !

username switch-user privilege 15 password 0 cisco !

radius-server host 172.16.3.254 auth-port 1812 acct-port 1813 radius-server retransmit 3

radius-server key cisco !

line con 0 exec-timeout 0 0 authorization exec con login authentication con escape-character 27 line vty 0 4 password cisco authorization exec vty accounting exec vty login authentication vty line vty 5 15

password cisco authorization exec vty accounting exec vty login authentication vty

!Snip from Switch2 config hostname Switch2 !

aaa new-model aaa authentication login vty group radius local aaa authentication login con none aaa authorization exec vty group radius local aaa authorization exec con none aaa accounting exec vty start-stop group radius enable password cisco !

username switch-user privilege 15 password 0 cisco !

radius-server host 172.16.3.254 auth-port 1812 acct-port 1813 radius-server retransmit 3

radius-server key cisco !

line con 0 exec-timeout 0 0 authorization exec con login authentication con escape-character 27 line vty 0 4 password cisco authorization exec vty accounting exec vty login authentication vty line vty 5 15 password cisco authorization exec vty accounting exec vty login authentication vty

Example 4-36. Telnet to Both Switches' Management IP

User Access Verification

Username: switch-user Password: cisco

Switch1>exit

[Connection to 172.16.4.10 closed by foreign host]

User Access Verification

Username: switch-user Password: cisco

Switch2> Switch2>exit

[Connection to 172.16.4.20 closed by foreign host] r1# r1#

Example 4-37. AAA Accounting Debugs from Switchl

[View full width]

Switch1#show debugging General OS:

AAA Accounting debugging is on Switch1# Switch1#

1w2d: AAA: parse name=tty1 idb type=-1 tty=-1

1w2d: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0 1w2d: AAA/MEMORY: create_user (0xDFC114) user=" ruser=" port='tty1' rem_addr='172.16.4

.1' authen_type=ASCII service=LOGIN priv=l 1w2d: AAA/ACCT/EXEC/START User switch-user, port tty1 1w2d: AAA/ACCT/EXEC: Found list "vty"

1w2d: AAA/ACCT/EXEC/START User switch-user, Port tty1, task_id=8 timezone=UTC service=shell 1w2d: AAA/ACCT: user switch-user, acct type 0 (1315242846): Method=radius (radius) Switch1# Switch1#

1w2d: AAA/ACCT/ACCT_DISC: Found list "vty" 1w2d: tty1 AAA/DISC: 1/"User Request" 1w2d: AAA/ACCT/ACCT_DISC: Found list "vty" 1w2d: tty1 AAA/DISC/EXT: 1020/"User Request" 1w2d: AAA/ACCT/ACCT_DISC: Found list "vty" 1w2d: tty1 AAA/DISC: 9/"NAS Error" 1w2d: AAA/ACCT/ACCT_DISC: Found list "vty" 1w2d: tty1 AAA/DISC/EXT: 1002/"Unknown"

1w2d: AAA/ACCT: no attribute "elapsed_time" to replace, adding it 1w2d: AAA/ACCT/EXEC/STOP: cannot retrieve modem speed 1w2d: AAA/ACCT/EXEC/STOP User switch-user, Port tty1:

task_id=8 timezone=UTC service=shell disc-cause=1 disc-cause-ext=1020 **■ elapsed_time=8 nas-rx-speed=0 nas-tx-speed=0

1w2d: AAA/ACCT: user switch-user, acct type 0 (143614545): Method=radius (radius) 1w2d: AAA/MEMORY: free_user (0xDFC114) user='switch-user' ruser=" port='tty1'

rem_addr='172.16.4.1' authen_type=ASCII service=LOGIN priv=1 Switch1#

7.2 AAA on PIX

Configure AAA for Telnet traffic through the PIX to authenticate and authorize each session using TACACS+. See Example 4-38.

Configure AAA on R2 for Telnet/vty authentication using the local database. This is the second (double) authentication phase. See Example 4-39.

Configure CiscoSecure ACS for telnet-user password cisco with Shell Command Authorization. See Figure 4-10 for settings on ACS.

Figure 4-10. User telnet-user Settings with Command Authorization Set on ACS

|cj tnr ii *

■3 d*«* .J,-*««. J >>

•i -j

User Sel jp

K

fllïï,-, 1

i'ivn

* tavlrran*« I'm I*1»

Mil» 1

r Ai*"M rwjH

■ , i -1 ■■ » -

Vnpf lia Ilia«- ÏmJ* "f

* -i U.ni ||- Hinjam

1« * ■ 71

« l uriw«

Vm SMÉ# f

« .i. +J 1 Af.V %

r'urw.v! JudkHH jfr *

■ 1 \I v \ Fni4 i- Fiv*wn rf

1

.V^î-rm FJIÎ ¡Abe m§4 ht sBAJ-UJ." ÇltAt'XF Af Sprtl StWrf** Ltetkrt]

- TACAnf* Oi*i»iftM—i * ÏAÊACÎ ' làtiCiMiat AMLMMWM

T.V-V V int«wn1i«iTrtr1 ■ n 11- ir vi -n \ .v-i.j «1,»

' -ftiW (

r CÎItAi-iMî ÔÉUMlAf) IWwi f-

Ammmm EfcufclM bwi fatal 4» Au-Mri I- -bjJ,1- «>'

« « -JÎ. il'« *f ibtifc t-oa » Art* 1* -J

tuM J

c

—,

»? «1 «s- »»-l

■*H

n i. □

« - J 3

>i- ■! a- j j

l)

M. ■

User Setup

r

•td

lie 1

■ v ' w ; ■, p 1 '-■ ■ -¡-j; ■ 1 if -h

ffifa* |

p min iH

^j.1 ryiE ii ■-! f r nr rw^.

« ■

^ |

■ 1 i -tf Id- ¥hr 1-1 likf 111 i IV 4 « ti£;—1 *

C 1 !1 ■*■!-■ !

"" I

«

X I if

MIM4

r

* H^: i

N-+ ÏÉH - 1 if 4

-^

. ^^-r^fc -i ' '4P H H ;■: *■(.■!) ■-■•-- - . p \l I ! Vlisr 1

i" hn* *

M H'— j

■ ..-1 Cl.iVfclr

—|

ff ------—-

- IACACS* Mil IMimI

A "j 1 I

AjfWUHll

filESST |

J

«

• ItfiCTiMC * i *

1 . |

¿J

1 RlVIU YfMr ^ ^ AtiWMr r-i

GUHrlBmXr

r Mw

tfllf

r ^„u

-

bf« buiam

LJ-t bl* | .VM

FJ*t-I ** £st -iW rvi-JM rtMfc 1-4 -fc Msi» AH

-

4 Ua-dl

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment