AUTHENTICATION

Su R1 abilitare lAAA server-based:

R(config)#username admin secret cisco

R(config)#aaa new-model
R(config)#tacacs server ACS
R(config-server-tacacs)#address ipv4 <ip>
R(config-server-tacacs)#single-connection
R(config-server-tacacs)#key cisco
R(config)#aaa authentication login MYAUTH group tacacs+ local
R(config)#line vty 0 4
R(config-line)#login authentgication MYAUTH
R#test aaa group tacacs+ admin cisco new-code

Su ACS legittimare utenti e TACACS client (i router):

user setup > add > user

user setup > add > password
user setup > list all users

network configuration > AAA clients > add

network configuration > AAA clients > client hostname
network configuration > AAA clients > client ip address
network configuration > AAA clients > shared secret
network configuration > AAA clients > authentication using tacacs+ (cisco ios)
network configuration > AAA clients > single connection
AUTHORIZATION
R(config)#aaa authorization exec default group tacacs+ local

l'authorization della lista di default non ha impatto sulla linea console

l'authorization exec si riferisce all'accesso all'exec mode non ai comandi

interface configuration > advanced options > per-user tacacs/radius attributes

interface configuration > tacacs+ > tacacs+ services > user shell (exec)

user setup > edit > tacacs+ settings

user setup > edit > tacacs+ settings > shell (exec)
user setup > edit > tacacs+ settings > privilege level 15
user setup > edit > tacacs+ settings > auto command sh run

R(config)#aaa authorization commands 0 default group tacacs+ local

R(config)#aaa authorization commands 1 default group tacacs+ local
R(config)#aaa authorization commands 15 default group tacacs+ local

l'authorization commands si riferisce ai comandi exec non configure

shared profile components > shell command authorization sets > add
shared profile components > shell command authorization sets > name

ping (+permit unmatched arguments)

telnet (+permit unmatched arguments)

user setup > edit > shell command authorization set > assign a shell command authorization set

R(config)#aaa authorization config-commands

shared profile components > shell command authorization sets > edit

exit (+permit unmatched arguments)

end (+permit unmatched arguments)
enable (+permit unmatched arguments)
disable (+permit unmatched arguments)
configure (+permit unmatched arguments)
interface (+permit fastethernet, +permit 0/1)

in alternativa potrebbe essere necessario inserire le interfacce rispettando il case e senza slash

shared profile components > shell command authorization sets > edit

show (+permit run, +permit ip route)

shutdown (+permit umatched arguments)
no (+permit shutdown)
ACCOUNTING
R(config)#aaa accounting exec default start-stop group tacacs+
R(config)#aaa accounting commands 0 default start-stop group tacacs+
R(config)#aaa accounting commands 1 default start-stop group tacacs+
R(config)#aaa accounting commands 15 default start-stop group tacacs+

system configuration > logging > passed authentication > configure > log to csv

report and activity > tacacs+ accounting

report and activity > tacacs+ administration