AUTHENTICATION

 Su R1 abilitare l’AAA server-based:

R(config)#username admin secret cisco
R(config)#aaa new-model
R(config)#tacacs server ACS
R(config-server-tacacs)#address ipv4 <ip>
R(config-server-tacacs)#single-connection
R(config-server-tacacs)#key cisco
R(config)#aaa authentication login MYAUTH group tacacs+ local
R(config)#line vty 0 4
R(config-line)#login authentgication MYAUTH
R#test aaa group tacacs+ admin cisco new-code

 Su ACS legittimare utenti e TACACS client (i router):

user setup > add > user
user setup > add > password
user setup > list all users

network configuration > AAA clients > add
network configuration > AAA clients > client hostname
network configuration > AAA clients > client ip address
network configuration > AAA clients > shared secret
network configuration > AAA clients > authentication using tacacs+ (cisco ios)
network configuration > AAA clients > single connection

+permit ip route)  shutdown (+permit umatched arguments)  no (+permit shutdown) . +permit 0/1)  in alternativa potrebbe essere necessario inserire le interfacce rispettando il case e senza slash shared profile components > shell command authorization sets > edit  show (+permit run.AUTHORIZATION R(config)#aaa authorization exec default group tacacs+ local  l'authorization della lista di default non ha impatto sulla linea console  l'authorization exec si riferisce all'accesso all'exec mode non ai comandi interface configuration > advanced options > per-user tacacs/radius attributes interface configuration > tacacs+ > tacacs+ services > user shell (exec) user setup > edit > tacacs+ settings user setup > edit > tacacs+ settings > shell (exec) user setup > edit > tacacs+ settings > privilege level 15 user setup > edit > tacacs+ settings > auto command sh run R(config)#aaa authorization commands 0 default group tacacs+ local R(config)#aaa authorization commands 1 default group tacacs+ local R(config)#aaa authorization commands 15 default group tacacs+ local  l'authorization commands si riferisce ai comandi exec non configure shared profile components > shell command authorization sets > add shared profile components > shell command authorization sets > name  ping (+permit unmatched arguments)  telnet (+permit unmatched arguments) user setup > edit > shell command authorization set > assign a shell command authorization set R(config)#aaa authorization config-commands shared profile components > shell command authorization sets > edit  exit (+permit unmatched arguments)  end (+permit unmatched arguments)  enable (+permit unmatched arguments)  disable (+permit unmatched arguments)  configure (+permit unmatched arguments)  interface (+permit fastethernet.

ACCOUNTING R(config)#aaa accounting exec default start-stop group tacacs+ R(config)#aaa accounting commands 0 default start-stop group tacacs+ R(config)#aaa accounting commands 1 default start-stop group tacacs+ R(config)#aaa accounting commands 15 default start-stop group tacacs+ system configuration > logging > passed authentication > configure > log to csv report and activity > tacacs+ accounting report and activity > tacacs+ administration .