|
Written by Alexei Spirin
|
|
Saturday, 02 February 2008 16:18 |
|
I. ACS configuration
1) Add TACACS+ aaa client (i.e. NAS)
2) Interface Configuration -> Tacacs+ turn on "Advanced Tacacs+ Features"
3) Shared Profile Components add command author set
4) Add new group with:
Enable Options = Max Privilege for any AAA Client (15) (FOR PIX ONLY!?)
TACACS+ Settings = Shell (exec), Privilege level = 15 (3) (FOR IOS ONLY!?)
Shell Command Authorization Set = our CAS
5) User Setup add new user with:
TACACS+ Enable Control = Use Group Level Setting
TACACS+ Enable Password = Use CiscoSecure PAP password (or separate)
II. PIX configuration
aaa-server ACS protocol tacacs+
aaa-server ACS (inside) host 10.4.2.50 cisco
aaa authentication ssh console ACS LOCAL
aaa authentication enable console ACS LOCAL
aaa authorization command ACS LOCAL
username cisco password cisco
username cisco privilege 15
|
III. IOS configuration
aaa authentication login default group tacacs+
aaa authorization commands 15 default group tacacs+ none
aaa authorization commands 3 default group tacacs+ none
aaa authorization config-commands
tacacs-server host 10.4.2.50 key cisco
privilege exec level 3 configure terminal
privilege command level 3 ntp server
|
|
|
Last Updated on Saturday, 25 October 2008 10:07 |
