Thursday, December 23, 2010

Cisco IOS menu autocommand with AAA/Cisco ACS

A customer has a router dedicated to a site-to-site IPSec VPN , the users of that VPN  are a small group that are not directly responsible for the router. They want a way to check the status of the WAN connection, the IPSec tunnel and also to force a clear crypto sa.

This could be solved with a looking glass but that would require a web server. An alternative solution could be a special user with a menu auto command:

menu VPN text 1 ping Internet (OpenDNS)
menu VPN command 1 ping
menu VPN text 2 ping VPN (
menu VPN command 2 ping source gi0/1/0
menu VPN text 3 sh crypto isakmp sa
menu VPN command 3 sh crypto isakmp sa
menu VPN text 4 sh crypto ipsec sa
menu VPN command 4 sh crypto ipsec sa
menu VPN text 5 Reset VPN  (clear crypto ipsec sa)
menu VPN command 5 clear crypto sa
menu VPN text 6 Exit
menu VPN command 6 exit
menu VPN clear-screen
menu VPN status-line
menu VPN line-mode
menu VPN single-space

My environment uses AAA with a Cisco ACS, so the special user has to be created in the Internal ACS database, restricted to only that router (Per User Defined Network Access Restrictions), allowing shell (exec) access and the auto command menu VPN (TACACS+ Settings)

The router has to refer to the authorization for exec to the ACS:

aaa authorization exec default group tacacs+ local

Of course, if you don’t use ACS and only use AAA with the local database, Ivan @ Cisco IOS Hints has a great example.


Server "VPN-Router"    Line 6    Terminal-type xterm


    1          ping Internet (OpenDNS)
    2          ping VPN (
    3          sh crypto isakmp sa
    4          sh crypto ipsec sa
    5          Reset VPN (clear crypto ipsec sa)
    6          Exit

Selection: 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/95/140 ms

More info:

No comments:

Post a Comment