AAA configutration

Hello @AdnanRaziKhan,

Good to see you back in the Dell Community.

Sure! Despite we cannot help you directly with the configuration we can share some info. This is what I found regarding aaa configuration. Please check the following documents and articles:

How to configure Radius or TACACS authentication for switch management on N series switches - https://dell.to/3iQhOw1

Dell EMC SmartFabric OS10 User Guide Release 10.5.1 - https://dell.to/3iRnzJY

Dell EMC SmartFabric OS10 User Guide Release 10.5.1 - https://dell.to/3l11YkN

Regards.

Hi,

I have a problem with configuration AAA on S4048-ON.. I Configured AAA authentication, authorization and TACACS servers but is not working.. On ISE, I have configured the device profile. 

Any ideas?

Hello,

Please checksum your configuration again. I don't know exactly what the problem is, but if I were you, I would check the TACACS server, then check the shared-key to see if it's the same as the server side, and check if no server templates and authentication profiles are configured on the domain. Unfortunately, I can't be of any more help. If the problem persists, contact your local network support team for further assistance, collecting information and seeking technical support.

Hope that helps!

"checksum your configuration" ? How to do it?

Sorry for the misunderstood, I mean crosscheck your configuration again to see if you're missing something.

I understood. Can you support me with verifying my config? I would send you the items I added.

Hello,

unfortunately as Technical Support we cannot support the configuration, if you want you can buy an configuration ticket and our networking team can help you

Thanks

Cisco IOS supports minimal password authentication at the console/VTY line and privilege exec boundaries, through the use of static, locally defined passwords. For example:

enable secret 5 $1$J19J$Q2jB2AM64H0U001nHStLW1
!
no aaa new-model
!
line con 0
password 7 0532091A0C595D1D3B00351D190900
login
line vty 0 15
password 7 152B0419293F38300A36172D010212
login
While easily implemented, this approach is far from ideal for a production network. For much more robust and easily managed authentication schemes, IOS supports the Authentication, Authorization, and Accounting (AAA) model, using the RADIUS or TACACS+ protocols to centralize these functions on dedicated AAA servers.

This article will look at deploying a typical IOS router AAA configuration which must meet two requirements:

All users logging into the router must authenticate with a username and password to one of two redundant TACACS+ servers.
Users must be able to log in using a backup local user account stored on the router only if neither TACACS+ server is reachable.
This article assumes that all back-end AAA server configuration has been completed and is working.

Configuring AAA on IOS for general administrative access entails four basic steps:

Enable the "new model" of AAA.
Configure the server(s) to be used for AAA (e.g. TACACS+ servers).
Define authentication and authorization method lists.
Enforce AAA authentication on the relevant lines (e.g. console and VTY lines).
Step 0: Create a backup user account
Although not technically a part of AAA configuration, we want to ensure a backup user account exists in the event the AAA servers become unreachable, so that we can still log in to the router.

Router(config)# username BackupAdmin privilege 15 secret MySecretPassword
Step 1: Enabling AAA
The new AAA model of authentication is enabled with a single command, which unlocks all other aaa commands on the command line interface. Note that this command will break non-AAA line and enable passwords.

Router(config)# aaa new-model
Step 2: Configuring the TACACS+ servers
Next we need to configure the addresses of the AAA servers we want to use. This example shows the configuration of TACACS+ servers, but the concept applies to RADIUS servers as well.

There are two approaches to configuring TACACS+ servers. In the first, servers are specified in global configuration mode using the command tacacs-server to specify an IP address and shared secret key for each server:

Router(config)# tacacs-server host 192.168.1.3 key MySecretKey1
Router(config)# tacacs-server host 192.168.2.3 key MySecretKey2
This approach is sufficient for many deployments, but is problematic if you want to reference only a subset of the defined servers for a certain AAA function. For example, suppose you want to use one TACACS+ server for control plane authentication on the router itself, and the second server for authenticating PPP connections. In this case, you would assign the servers to named AAA server groups:

Router(config)# aaa group server tacacs+ LoginAuth
Router(config-sg-tacacs+)# server 192.168.1.3
Router(config)# aaa group server tacacs+ PPPAuth
Router(config-sg-tacacs+)# server 192.168.2.3
Note that if using server groups, the servers are still defined with tacacs-server in global configuration mode. (Servers can optionally be defined only within a group by using the command private-server under group configuration.)

Step 3: Define the AAA method lists
Next we need to define a method list which instructs the router to use AAA authentication for terminal logins.

Router(config)# aaa authentication login default group tacacs+ local
This is a rather lengthy command, so let's work through it one bit at a time. aaa authentication login specifies that the following parameters are to be used for user login authentication. The word default is used in lieu of a custom name for the list (you can only define one default list for each AAA function).

The rest of the line specifies authentication methods. group tacacs+ means "use all configured TACACS+ servers." If you defined a named server group in step two, use the name of that group in place of the word tacacs+ here. local defines a secondary authentication mechanism; it instructs the router to fail over to locally defined user accounts if none of the authentication servers in the first method are reachable. (Note that this only happens if the servers are unreachable; a response from a server denying authentication will not trigger a fail-over to local authentication.)

The above method list handles only the authentication aspect of AAA. By itself, this list only allows us to authenticate as a user with privilege level 1 (user exec mode). To communicate a heightened privilege level (e.g. privilege level 15, or "enable mode") from the TACACS+ server, we also need to define an authorization method list for IOS shell creation.

Router(config)# aaa authorization exec default group tacacs+ local
You can see that the authorization method list follows the same logic as our first list, the only difference being that this list is used for exec (shell) authorization rather than login authentication.

Step 4: Enforcing AAA authentication on terminal lines
This last step has actually been done for us already by enabling AAA in step one. However, if we were to create a custom authentication method list for these lines, we would use the command below, substituting the method list name for the word default.

Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default
These commands will not appear in the running configuration if the default method list is specified.

At this point, we should have a fully functional AAA configuration for console authentication and authorization.

stretch@Sandbox ~ $ telnet 192.168.1.132
Trying 192.168.1.132...
Connected to 192.168.1.132.
Escape character is '^]'.

Username: jstretch
Password:

Router#
Notice that upon logging in I was immediately placed into privileged exec mode without having to use the command enable. This is our authorization method list at work. And remember, if the TACACS+ servers become unreachable, we can log into the router using the local user account we created in step zero.

The completed AAA configuration is included below.

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
username BackupAdmin privilege 15 secret 5 $1$qLGb$VQ6BdqCEpzGZqPeC779Uh1
!
tacacs-server host 192.168.1.3 key 7 062B1612494D1B1C113C17125D
tacacs-server host 192.168.2.3 key 7 143A0B380907382E3003362C70

Regards,

Rachel Gomez