The following examples show how to configure AAA services.
An authentication method list vty-authen is configured. This example specifies a
method list that uses the list of all configured TACACS+ servers for authentication.
If that method fails, the local username database method is used for
authentication.
configure
aaa authentication login vty-authen group tacacs+ local
The default method list for PPP is configured to use local method.
aaa authentication ppp default local
A username user1 is created for login purposes, a secure login password is assigned,
and user1 is made a root-lr user. Configure similar settings for username
user2.
username user1
secret lab
group root-lr
exit
username user2
secret lab
exit
A task group named tga is created, tasks are added to tga, a user group named uga is
created, and uga is configured to inherit permissions from task group tga. A
description is added to task group uga.
taskgroup tga
task read bgp
task write ospf
exit
usergroup uga
taskgroup tga
description usergroup uga
exit
Username user2 is configured to inherit from user group uga.
username user2
group uga
exit
Three TACACS servers are configured.
tacacs-server host .1.1.1 port 1 key abc
tacacs-server host .2.2.2 port 2 key def
tacacs-server host .3.3.3 port 3 key ghi
A user group named priv5 is created, which will be used for users authenticated using
the TACACS+ method and whose entry in the external TACACS+ daemon configuration file
has a privilege level of 5.
usergroup priv5
taskgroup operator
exit
An authorization method list, vty-author, is configured. This example specifies that
command authorization be done using the list of all configured TACACS+ servers.
aaa authorization commands vty-author group tacacs+
An accounting method list, vty-acct, is configured. This example specifies that
start-stop command accounting be done using the list of all configured TACACS+
servers.
aaa accounting commands vty-acct start-stop group tacacs+
For TACACS+ authentication, if, for example, a privilege level 8 is returned, and no
local usergroup priv8 exists and no local user with the same name exists, the
aaa default-taskgroup command with tga specified
as the taskgroup-name argument ensures that such users are
given the taskmap of the task group tga.
aaa default-taskgroup tga
For line template vty, a line password is assigned that is used with line
authentication and makes usergroup uga the group that is assigned for line
authentication (if used), and makes vty-authen, vty-author, and vty-acct,
respectively, the method lists that are used for authentication, authorization, and
accounting.
line template vty
password lab
users group uga
login authentication vty-authen
authorization commands vty-author
accounting commands vty-acct
exit
A TACACS+ server group named abc is created and an already configured TACACS+ server
is added to it.
aaa group server tacacs+ abc
server .3.3.3
exit