tacacs+ Best Practice

HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
in CCNA Security
So what is the best practice for this method list? WAN-GATEWAY(config)#aaa authentication login default group tacacs+ ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>
We currently use Line at work but wondering if is the best solution. I have found this online as Cisco best practices. aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
· Share on FacebookShare on Twitter

Comments

  • JobeneJobene Member Posts: 63 ■■■□□□□□□□
    local-case Use case-sensitive local username authentication.
    You will need to create some accounts but you have aaa in case that your tacacs fails
    and casesensitive is also good in context of passwordattacks
    · Share on FacebookShare on Twitter
Sign In or Register to comment.