Notes. #
aaa authorization exec console local
aaa authentication login console local
aaa authorization commands console none
line console
authorization commands console
login authentication console
authorization exec console
在变更AAA配置之前一定要确保将console 配置为本地认证授权, 防止错误的配置导致无法修改配置.
或者在变更AAA配置时不使用commit,使用”commit confirmed minutes x“.
这条命令的意思是如果不进行第二次”commit“ 操作,配置将在x分钟后进行配置回滚
RP/0/RSP0/CPU0:ios(config)#commit confirmed minutes 5
测试AAA, 测试无误后再进行commit
RP/0/RSP0/CPU0:ios(config)#commit
default VRF #
tacacs source-interface Loopback0 vrf default
tacacs-server host 10.70.79.177 port 49
key 7 110A1016141D
!
aaa accounting commands default start-stop group tacacs+
aaa authorization exec console local
aaa authorization exec default group tacacs+ local
aaa authorization commands console none
aaa authorization commands default group tacacs+ none
aaa authentication login console local
aaa authentication login default group tacacs+ local
non-default VRF #
tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf MGMT
tacacs-server host 10.70.79.177 port 49
key 7 110A1016141D
!
aaa accounting commands default start-stop group XU
aaa group server tacacs+ XU
server 10.70.79.177
vrf MGMT
!
aaa authorization exec console local
aaa authorization exec default group XU local
aaa authorization commands console none
aaa authorization commands default group XU none
aaa authentication login console local
aaa authentication login default group XU local
User-Defined User Groups/Task Groups example #
taskgroup priv1
task read bgp
task read ipv4
task read isis
task read interface
task write basic-services
task execute basic-services
description view_only
!
taskgroup priv5
task read aaa
task read acl
task read atm
task read bfd
task read bgp
task read cdp
task read cef
task read ppp
task read qos
task read rib
task read bcdl
task read boot
task read diag
task read hdlc
task read hsrp
task read ipv4
task read isis
task read snmp
task read vlan
task read admin
task read bundle
task read fabric
task read static
task read sysmgr
task read system
task read drivers
task read logging
task read monitor
task read netflow
task read network
task read pos-dpt
task read pkg-mgmt
task read fault-mgr
task read interface
task read inventory
task read route-map
task read sonet-sdh
task read filesystem
task read tty-access
task read config-mgmt
task read ip-services
task read route-policy
task read host-services
task read basic-services
task read config-services
task write basic-services
task execute filesystem
task execute basic-services
description read_only_all
!
taskgroup priv10
task write acl
task write bgp
task write cdp
task write cef
task write ppp
task write qos
task write boot
task write diag
task write ipv4
task write isis
task write snmp
task write admin
task write static
task write sysmgr
task write system
task write logging
task write monitor
task write netflow
task write network
task write pkg-mgmt
task write interface
task write inventory
task write route-map
task write sonet-sdh
task write ip-services
task write route-policy
task write basic-services
task execute bgp
task execute admin
task execute logging
task execute pkg-mgmt
task execute sonet-sdh
inherit taskgroup priv5
!
usergroup priv1
taskgroup priv1
description view_only
usergroup priv5
taskgroup priv5
description read_only_all
!
usergroup priv10
taskgroup priv10
description priv15_without_aaa
!
usergroup priv15
taskgroup root-system
taskgroup cisco-support
description pri15
line template #
删除line default配置, 并配置客户自己的temple:
RP/0/RSP0/CPU0:ASR9006-A#show run line template SSH
Sat Jul 23 19:55:49.536 UTC
line template SSH
login authentication SSH
transport input ssh
RP/0/RSP0/CPU0:ASR9006-A#show run | in vty
Sat Jul 23 20:05:46.117 UTC
Building configuration...
vty-pool default 0 4 line-template SSH
RP/0/RSP0/CPU0:ASR9006-A#show run aaa
Sat Jul 23 20:06:11.770 UTC
aaa authentication login SSH group tacacs+ local