Chapter 12: Using AAA to Scale Access Control in an Expanding Network

Commands:

12.1.1 Enabling AAA and Identifying the Server

router(config)#aaa new-model
router(config)#tacacs-server host ip address single-connection
router(config)#tacacs-server key key
router(config)#radius-server host ip address
router(config)#radius-server key key

 

12.2.2 AAA Authentication Commands

router(config)#aaa authentication login default tacacs+ local
router(config)#aaa authentication login Callers tacacs+ local
router(config)#line con 0
router(config-line)#login authentication Callers
router(config)#line 1 48
router(config-line)#login authentication Callers
router(config)#
line vty 0 4

Miscellaneous commands
router(config)#aaa authentication arap
router(config)#aaa authentication enable default
router(config)#aaa authentication local-override
router(config)#aaa authentication login
router(config)#aaa authentication nasi
router(config)#aaa authentication password-prompt
router(config)#aaa authentication ppp
router(config)#aaa authentication username-prompt
Router(config)#aaa authentication login {default | list-name} method1 [...[method4]]
Router(config)#aaa authentication enable default method1 [...[method4]]
Router(config)#aaa authentication ppp {default | list-name} method1 [...[method4]]

 

12.2.3 AAA Authorization Commands

Authorization options
network
exec
commands
level
config-commands
reverse-access
if-authenticated
local
none
radius
tacacs+
krb5-instance

AAA Authentication and Authorization Commands
router(config)#aaa authentication enable default tacacs+ enable
router(config)#aaa authorization exec tacacs+ local
router(config)#
aaa authorization command n tacacs+ local

AAA Authentication and Authorization Commands for PPP
router(config)#username admin password password
router(config)#aaa authentication ppp Callers if-needed tacacs+
router(config)#aaa authorization network tacacs+ if-authenticated
Router(config)#aaa authorization {network | exec | commands level | config-commands | reverse-access} {if-authenticated | local | none | radius | tacacs+ | krb5-instance}

 

12.2.4 AAA Accounting Commands

Accounting options
command
level
connection
exec
network
system
start-stop
stop-only
wait-start

{tacacs+ | radius}

AAA accounting Commands
router(config)#aaa accounting network start-stop tacacs+
router(config)#aaa accounting exec start-stop tacacs+
router(config)#aaa accounting command 15 start-stop tacacs+
router(config)#aaa accounting connection start-stop tacacs+
router(config)#aaa accounting system start-stop tacacs+
Router(config)#aaa accounting {command level | connection | exec | network | system} {start-stop | stop-only | wait-start} {tacacs+ | radius}