image image image image image

On This Page

aaa accounting


aaa accounting changes default {<time-frame> | stop-only} tacacs+
no aaa accounting changes default {<time-frame> | stop-only} tacacs+

Enables logging of system changes to a AAA accounting server.
The no form of the command disables the accounting.

Syntax Descriptionstop-onlySends a stop accounting notice at the end of requested user process
DefaultN/A
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # aaa accounting changes default stop-only tacacs+
Related Commands

show aaa

Notes
  • TACACS+ is presently the only accounting service method supported
  • Change accounting covers both configuration changes and system actions that are visible under audit logging, however this feature operates independently of audit logging, so it is unaffected by the "logging level audit mgmt" or "configuration audit" commands
  • Configured TACACS+ servers are contacted in the order in which they appear in the configuration until one accepts the accounting data, or the server list is exhausted
  • Despite the name of the "stop-only" keyword, which indicates that this feature logs a TACACS+ accounting "stop" message, and in contrast to configuration change accounting, which happens after configuration database changes, system actions are logged when the action is started, not when the action has completed

aaa authentication login default


aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]]
no aaa authentication login

Sets a sequence of authentication methods. Up to four methods can be configured.
The no form of the command resets the configuration to its default.

Syntax Descriptionauth-methodPossible values:
  • local
  • radius
  • tacacs+
  • ldap
DefaultN/A
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # aaa authentication login default local radius tacacs+ ldap
Related Commands

show aaa

NotesThe order in which the methods are specified is the order in which the authentication is attempted. It is required that "local" is one of the methods selected. It is recommended that "local" be listed first to avoid potential problems logging in to local accounts in the face of network or remote server issues.

aaa authorization map


aaa authorization map [default-user <username> | order <policy>]
no aaa authorization map [default-user | order]

Sets the mapping permissions of a user in case a remote authentication is done.
The no form of the command resets the attributes to default.

Syntax DescriptionusernameSpecifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+) and does not have a local account. If the username is local, this mapping is ignored.
policySets the user mapping behavior when authenticating users via RADIUS or TACACS+ to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:
  • remote-first - If a local-user mapping attribute is returned and it is a valid local username, it maps the authenticated user to the local user specified in the attribute. Otherwise, it uses the user specified by the default-user command.
  • remote-only - Maps a remote authenticated user if the authentication server sends a local-user mapping attribute. If the attribute does not specify a valid local user, no further mapping is tried.
  • local-only - Maps all remote users to the user specified by the "aaa authorization map default-user <user name>" command. Any vendor attributes received by an authentication server are ignored.
DefaultDefault user: admin
Map order: remote-first
Configuration Modeconfig
History1.5
Example
ufmapl [ mgmt-sa ] (config) # aaa authorization map default-user admin
Related Commands

show aaa
username

NotesIf, for example, the user is locally defined to have admin permission, but in a remote server such as RADIUS the user is authenticated as monitor and the order is remote-first, then the user will be given monitor permissions.

show aaa


show aaa

Displays the AAA configuration.

Syntax DescriptionN/A
DefaultN/A
Configuration ModeAny configuration mode
History1.5
Example
ufmapl [ mgmt-sa ] (config) # show aaa
AAA authorization:
   Default User: admin
   Map Order: remote-first
Authentication method(s):
   local
Accounting method(s):
   tacacs+
Related Commands

aaa accounting
aaa authentication
aaa authorization
show aaa
show usernames
username

Notes