The following examples show how to configure AAA services.
An authentication method list vty-authen is configured. This example specifies a
method list that uses the list of all configured TACACS+ servers for authentication.
If that method fails, the local username database method is used for
aaa authentication login vty-authen group tacacs+ local
The default method list for PPP is configured to use local method.
aaa authentication ppp default local
A username user1 is created for login purposes, a secure login password is assigned,
and user1 is made a root-lr user. Configure similar settings for username
A task group named tga is created, tasks are added to tga, a user group named uga is
created, and uga is configured to inherit permissions from task group tga. A
description is added to task group uga.
task read bgp
task write ospf
description usergroup uga
Username user2 is configured to inherit from user group uga.
Three TACACS servers are configured.
tacacs-server host 126.96.36.199 port 1 key abc
tacacs-server host 188.8.131.52 port 2 key def
tacacs-server host 184.108.40.206 port 3 key ghi
A user group named priv5 is created, which will be used for users authenticated using
the TACACS+ method and whose entry in the external TACACS+ daemon configuration file
has a privilege level of 5.
An authorization method list, vty-author, is configured. This example specifies that
command authorization be done using the list of all configured TACACS+ servers.
aaa authorization commands vty-author group tacacs+
An accounting method list, vty-acct, is configured. This example specifies that
start-stop command accounting be done using the list of all configured TACACS+
aaa accounting commands vty-acct start-stop group tacacs+
For TACACS+ authentication, if, for example, a privilege level 8 is returned, and no
local usergroup priv8 exists and no local user with the same name exists, the
aaa default-taskgroup command with tga specified
as the taskgroup-name argument ensures that such users are
given the taskmap of the task group tga.
aaa default-taskgroup tga
For line template vty, a line password is assigned that is used with line
authentication and makes usergroup uga the group that is assigned for line
authentication (if used), and makes vty-authen, vty-author, and vty-acct,
respectively, the method lists that are used for authentication, authorization, and
line template vty
users group uga
login authentication vty-authen
authorization commands vty-author
accounting commands vty-acct
A TACACS+ server group named abc is created and an already configured TACACS+ server
is added to it.
aaa group server tacacs+ abc