I'm inheriting a DoD network (completely separated from the Internet). I'm looking at the configs and I'm seeing a bunch of stuff I think isn't needed but I've never used TACACS, just Radius.
The switch is configured to authenticate to active directory via TACACS so I can login with my regular username and password. On my previous network we had two lines to do Radius authentication and authorization and it works great. Here is the top part of the config
aaa new-model
aaa group server tacacs+ TACACS-GROUP
server-private x.x.x.x key 7 ****
server-private x.x.x.x key 7 *****
ip tacacs source-interface Loopback0
!
aaa authentication login default group TACACS-GROUP local
aaa authentication login CON group TACACS-GROUP local
aaa authentication login VTY group TACACS-GROUP local
aaa authorization console
aaa authentication login console group TACACS-GROUP local
aaa authorization exec default group TACACS-GROUP local
aaa authorization commands 1 default group TACACS-GROUP if-authenticated
aaa authorization commands 15 default group TACACS-GROUP if-authenticated
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
And then the con and vty configs.
line con 0
logging synchronous
login authentication CON
transport output ssh
stopbits 1
line vty 0 4
access-class VTY_IN in vrf-also
privilege level 15
logging synchronous
login authentication VTY
transport input ssh
transport output ssh
line vty 5 15
access-class VTY_IN in vrf-also
logging synchronous
login authentication VTY
transport input ssh
transport output ssh
I'm thinking a single default group instead of a default, CON, and VTY groups.
Also, I'm thinking I can get rid of the login authentication lines in CON and VTY. Plus I can get rid of transport output SSH.
Am I missing something? Lots of very old time network guys built this so I'm thinking some dude thought you needed it, or you did need it back in the day, and they just keep putting that stuff in because "it's what we've always done".
On the Active Directory side there are two security groups. networkRO and networkRW which hopefully are self explanatory.
Best Answer
The config you've posted is pretty common, and I suppose it was developed to be as flexible as possible, with separate methods for VTY and console access, as well as separate command authorization for regular and privileged users.
So yes, you can simplify it. You can remove the CON and VTY methods, and just use the default method (since they're all the same).
The transport output ssh command doesn't do much, and if we assume you have ssh enabled everywhere, it's unnecessary. But some security audits might require it, so be careful about removing it. Actually, now that I think about it, it could be that some STIGs require defined TACACS access methods, so again, check before removing it.
I wonder if removing two or three configuration lines will make much of a difference in your life. It's not going to change the device behavior, and it's a very modest simplification. You also run the risk of inadvertently failing some security audit. On DoD systems, that may be important.