Toby Arnett
Jan 27, 2019

AAA Commands Explained

Enables AAA commands to be used.


aaa new-model

This displays the default banner message if no aaa auth banner is present. Uses the authentication groups that follow the default statement. Uses the listed servers for the tacacs profile. Ensures that the username is case-sensitive

aaa authentication login default group tacacs+ local-case

This will put the login user to the enable prompt if authenticated (enable default). Uses all the servers in listed in the tacacs profiles (group tacacs+). Attempts the enable password found in the tacacs to login to the enable prompt. (enable)

aaa authentication enable default group tacacs+ enable

Runs accounting on the exec shell session. Uses the authentication groups that follow the default statement. There is a start and stop notice provided to either the start or end of the process respectively. Uses the listed servers for the tacacs profile

aaa accounting exec default start-stop group tacacs+

Runs accounting on all privilege level 1 commands. Uses the authentication groups that follow the default statement. There is a start and stop notice provided to either the start or end of the process respectively. Uses the listed servers for the tacacs profile. 

aaa accounting commands 1 default stop-only group tacacs+

Runs accounting on all privilege level 15 commands. Uses the authentication groups that follow the default statement. There is a start and stop notice provided to either the start or end of the process respectively. Uses the listed servers for the tacacs profile. 

aaa accounting commands 15 default stop-only group tacacs+

This listed method is used only if all the previously defined methods fail. If at anytime in the above process a “deny” is sent then this process is not used. The exec trigger is specifying that the authorized user will have exec level privs. Uses the authentication groups that follow the default statement. Uses the listed servers for the tacacs profile. This is where the router or server will look for any locally defined users from the username commands.

aaa authorization exec default group tacacs+ local


0 comments0 replies
New Posts
  • Toby Arnett
    Jan 22, 2019

    Cisco Break Sequence Simulation

    Discussion 
    Break Sequence for Cisco devices The change in computers that have moved away from serial ports and an actual “break” key on the keyboards makes it difficult for many people to get a Cisco device to drop to rommon mode on startup for recovery procedures. Now that laptops do not come with serial ports by standard and require a USB to serial adapter for network engineers to console into devices this has also caused issues with traditional break sequences. The most common programs like HyperTerminal, Putty, and SecureCRT have a break sequence which is “Ctrl-Break”. The fact that many computers, laptops, and keyboards do not have a “break” key makes it very difficult to drop into rommon when accessing a Cisco device from the console port. A rarely known trick to accessing the rommon mode of a Cisco device can be done without the use of the “break” key. It is more involved, but considering that most people will reload a switch/router numerous times in frustration to get the rommon prompt that this trick is actually a faster method. Simulated Break Sequence for Cisco Devices: The best method that I have found to work time after time is a simulated break sequence. This is a very straight forward method. Start with the router (or device – will reference router for simplicity) powered on. Access the routers console port with the standard console connection settings: 9600 baud rate No parity 8 data bits 1 stop bit No flow control Once the prompt is up. Press enter to get some commands to the device even if it is to get the “login” to fail from a failed login attempt. Once done, change your console settings to the setup below. 1200 baud rate No parity 8 data bits 1 stop bit No flow control Once the baud rate is changed then you will no longer see any new responses on your screen. Power cycle the router and immediately press and hold the space bar. Keep it pressed for about 10 – 20 seconds. Change your Baud rate back to 9600 and press enter. You should be in rommon mode. If not then repeat and hold the space bar down longer. This process has worked for me on every device I have tried it on. Try it next time your stuck looking for the break key on your keyboard. For those that do have the Break key here are the known sequences below. IF those don’t work – try the above. Good luck! -Toby Arnett