Look at the sample configuration for AAA:
!
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login CONAUTH local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization exec CONAUTH local
aaa accounting exec default start-stop group tacacs+
aaa accounting exec CONAUTH none
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 0 CONAUTH none
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 1 CONAUTH none
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting commands 15 CONAUTH none
!
aaa session-id common
!
username cisco privilege 15 password 0 cisco123
!
!
!
interface Ethernet0/0
ip address 169.254.0.2 255.255.0.0
!
!
tacacs-server host 169.254.0.3 key secret
!
!
!
privilege exec level 0 terminal monitor
privilege exec level 0 terminal
!
line con 0
authorization exec CONAUTH
accounting commands 0 CONAUTH
accounting commands 1 CONAUTH
accounting commands 15 CONAUTH
accounting exec CONAUTH
login authentication CONAUTH
line aux 0
no exec
line vty 0 4
autocommand terminal monitor
autocommand-options nohangup
!
!
Policy:
1. AUX is disabled for EXEC (no exec)
2. User can login through Console with local authentication. (cisco – cisco123)
3. Console user is always authorized and placed in enabled mode cause its in level 15 (user cisco priv 15)
4. Console user is never accounted for EXEC-session and for Commands has entered.
5. Whoever knows local username password can login through console but AUX and VTY.
6. Line VTY is using default authentication, authorization and accounting.
7. User will be prompted to enter username password which is stored in ACS database.
8. User needs to have its own enable password which is stored in ACS database.
9. based on user’s group membership, user will be assigned a privilege level.
10. upon user authentication “terminal monitor” command will be issued for user session.
11. Terminal Monitor command is a privilege 15 command so we changed it to privilege 0 to allow all authenticated users see system messages.
12. Based on group membership each user can only have 3 concurrent telnet sessions. (in ACS group profile)
13. Users session time will be accounted upon start and when it stops.
14. Users commands will be accounted in ACS.
Tacacs+ Administration :
01/30/2009 13:57:59 shafagh Default Group show users 1 shell tty130 160 169.254.0.2
01/30/2009 13:57:55 shafagh Default Group enable 0 shell tty130 154 169.254.0.2
TACACS+ Accounting active:
01/30/2009 13:57:20 shafagh Default Group 169.254.0.1 start shell tty130 169.254.0.2
01/30/2009 13:57:14 shafagh Default Group 169.254.0.1 stop shell tty130 169.254.0.2
