The following examples show how to configure AAA services.
An authentication method list vty-authen is configured. This example specifies a method list that uses the list of all configured TACACS+ servers for authentication. If that method fails, the local username database method is used for authentication.
aaa authentication login vty-authen group tacacs+ local
The default method list for PPP is configured to use local method.
aaa authentication ppp default local
A username user1 is created for login purposes, a secure login password is assigned, and user1 is made a root-system user. Configure similar settings for username user2.
A task group named tga is created, tasks are added to tga, a user group named uga is created, and uga is configured to inherit permissions from task group tga. A description is added to task group uga.
task read bgp
task write ospf
description usergroup uga
Username user2 is configured to inherit from user group uga.
Three TACACS servers are configured.
tacacs-server host 184.108.40.206 port 1 key abc
tacacs-server host 220.127.116.11 port 2 key def
tacacs-server host 18.104.22.168 port 3 key ghi
A user group named priv5 is created, which will be used for users authenticated using the TACACS+ method and whose entry in the external TACACS+ daemon configuration file has a privilege level of 5.
An authorization method list, vty-author, is configured. This example specifies that command authorization be done using the list of all configured TACACS+ servers.
aaa authorization commands vty-author group tacacs+
An accounting method list, vty-acct, is configured. This example specifies that start-stop command accounting be done using the list of all configured TACACS+ servers.
aaa accounting commands vty-acct start-stop group tacacs+
For TACACS+ authentication, if, for example, a privilege level 8 is returned, and no local usergroup priv8 exists and no local user with the same name exists, the aaa default-taskgroup command with tga specified as the taskgroup-name argument ensures that such users are given the taskmap of the task group tga.
aaa default-taskgroup tga
For line template vty, a line password is assigned that is used with line authentication and makes usergroup uga the group that is assigned for line authentication (if used), and makes vty-authen, vty-author, and vty-acct, respectively, the method lists that are used for authentication, authorization, and accounting.
line template vty
users group uga
login authentication vty-authen
authorization commands vty-author
accounting commands vty-acct
A TACACS+ server group named abc is created and an already configured TACACS+ server is added to it.
aaa group server tacacs+ abc