Network security is big deal! Here is best practice of how to configure Cisco AAA in most effective and practical way.
Example of the Best practices of Cisco AAA configuration
; It does provide
(** Used Cisco ACS and tacacs user : USER_tacacs)
service password-encryption
!
username USER_0 privilege 0 secret 5 xxxxxxxxx
username USER_15 privilege 15 secret 15 yyyyyyy
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x timeout 5
tacacs-server directed-request
tacacs-server key 7 090909090909009090990
line con 0
exec-timeout 9 0
logging synchronous
login authentication CONSOLE
Details and descriptions
service password-encryption
!
username USER_0 privilege 0 secret 5 xxxxxxxxx
username USER_15 privilege 15 secret 15 yyyyyyy
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated ;
It won’t allow to bing privilege 15 from local. So, USER_15 won’t get # or privilege 15 when he login thru console port.
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x timeout 5
tacacs-server directed-request
tacacs-server key 7 090909090909009090990
line con 0
exec-timeout 9 0
logging synchronous
login authentication CONSOLE