tacacs+ Best Practice

HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
So what is the best practice for this method list? WAN-GATEWAY(config)#aaa authentication login default group tacacs+ ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>
We currently use Line at work but wondering if is the best solution. I have found this online as Cisco best practices. aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln

Comments

  • JobeneJobene Member Posts: 63 ■■■□□□□□□□
    local-case Use case-sensitive local username authentication.
    You will need to create some accounts but you have aaa in case that your tacacs fails
    and casesensitive is also good in context of passwordattacks
Sign In or Register to comment.