Terminal Access Controller Access Control System Commands: enable Configure terminal ! Create a local admin for safety ! Note: for all production passwords ! follow best practices for length ! and complexity username admin privilege 15 secret cisco username bob privilege 1 secret cisco ! Configure the privilege 15 secret enable secret cisco ! Enable AAA aaa new-model ! Specify where the AAA server is, ! and which protocol to use (TACACS+ in this case) tacacs-server host 192.168.1.252 ! Specify the Key to use for encryption ! between the client (this router) and the AAA ! TACACS+ server tacacs-server key cisco123 ! Create a default method list and specify that ! we want to try one of the AAA servers as our ! first method in the list, and then if that times ! out, we want to use the local database, and if the ! user isn't in the local database, require the ! enable secret for access aaa authentication login default group tacacs+ local ! Create a custom method list, that if used, ! will have no authentication required at all ! (Just in the lab) aaa authentication login FREE-BIRD none ! Lets apply the FREE-BIRD method list to the ! Console (to make it easy on me ;) line console 0 login authentication FREE-BIRD ! (This method list applies only ! to the console 0). The default will apply ! to the other Lines, such as VTY and AUX. ! Lets set up a couple authorization method lists ! We will use custom lists (not a default one) ! because we don't want this to apply everywhere ! (just on our VTY lines for this demo) exit
aaa authorization commands 1 TAC1 group tacacs+ local
aaa authorization commands 15 TAC15 group tacacs+ local ! This next command is required for the IOS ! to check for authorization for commands ! issued within configuration mode aaa authorization config-commands ! Lets create some accounting method lists as well aaa accounting commands 1 TAC-act1 start-stop group tacacs+ aaa accounting commands 15 TAC-act15 start-stop group tacacs+ ! Lets apply the authorization and accounting custom ! method lists just to the VTY lines ! Note: default login authentication method list ! already applies to these VTY lines line vty 0 4 authorization commands 1 TAC1 authorization commands 15 TAC15 accounting commands 1 TAC-act1 accounting commands 15 TAC-act15
Simple test: enable conf t enable secret cisco aaa new-model aaa authentication login default enable do debug aaa authentication do telnet 10.1.0.1