Configuring TACACS+ for AAA

Unanswered Question
Jun 13th, 2007

Hi Everyone,

I am about to deploy TACACS+ for network authentication and accounting. Would somebody mind casting an eye over my configuration to tell me if it looks ok?

I am trying to configure TACACS+ as the primary means of authentication for telnet connections, but with a locally configured Manager account if TACACS should fail for any reason.

I would also like TACACS to log all logins, logouts and configuration changes (hence all my accounting commands).

My Config

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 2 default start-stop group tacacs+

aaa accounting commands 3 default start-stop group tacacs+

aaa accounting commands 4 default start-stop group tacacs+

aaa accounting commands 5 default start-stop group tacacs+

aaa accounting commands 6 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 8 default start-stop group tacacs+

aaa accounting commands 9 default start-stop group tacacs+

aaa accounting commands 10 default start-stop group tacacs+

aaa accounting commands 11 default start-stop group tacacs+

aaa accounting commands 12 default start-stop group tacacs+

aaa accounting commands 13 default start-stop group tacacs+

aaa accounting commands 14 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

username Manager password ******

!

tacacs-server host 10.X.X.1

tacacs-server key ******

Many thanks in advance,

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Wed, 06/13/2007 - 05:41

Dan,

Config looks ok to me. I don't think there is any need of having accounting from 0 -15.

All you need is

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Also there is no need for network accounting, since it will be exec session.

Regards,

Jagdeep

Patrick.Beaven Wed, 06/13/2007 - 12:11

You neet to enter configuration mode and enter what login authentication you want.

IE.

COnf t

line vty 0 4

login tacacs

exit

then telnet to it to test..

Richard Burts Thu, 06/14/2007 - 11:19

Actually once you enter aaa new-model then the vty lines use the default authentication method and so aaa authentication login default will do very nicely for the vty authentication.

Dan

Your original post was very specific about using TACACS to authenticate telnet but was not specific about what you wanted to use on the console. By default this configuration will also authenticate console sessions the same way that it does the telnet sessions. If you want something different on the console then we need to add a couple of things in your config.

Also it might be beneficial to add to your config the command:

ip tacacs source-interface

this is especially useful if there is more than one interface that might be the source for packets going to TACACS. The server will use a single address to identify each remote device and the TACACS packets need to be sourced from that address.

Also I agree that the accounting might be simplified to use just level 15 accounting. Unless you are doing something complex with privilege levels there is no benefit in specifying levels 2 to 14. And while I question the utility of logging every user level command that anyone enters, if that is what you really want then leave in the accounting level 1.

Otherwise I think your config is fine.

HTH

Rick

Actions

This Discussion