ACS v4.1 TACACS+

Unanswered Question
Jan 26th, 2009

Need help setting up tacacs+ for Catalyst 3560 and 6506 switches using Cisco ACS v4.1. Can someone post ios examples.


Thanks




Requirement:


1. login to switches with Cisco ACS account

2. login to switch with local switch username & password

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jagdeep Gambhir Mon, 01/26/2009 - 09:10

Employ Authentication, Authorization, and Command Authorization on an IOS or set based

device:


IOS -


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local


Optional*

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


Note *: Do not deploy authorization untill you know about the command.


Regards,

~JG


Do rate helpful posts

colmgrier Mon, 01/26/2009 - 09:14

Can you explain the below commands.


Also which is better Tacacs+ or radius


Optional*

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


Note *: Do not deploy authorization untill you know about the command.


Jagdeep Gambhir Mon, 01/26/2009 - 12:22

Both are better. Actually it depends on your need or network environment. For managing devices (NAS) tacacs is best and for wireless vpn, radius is best.


Please check this link that explains about tacacs and radius.


http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml


If you want to implement authorization like we want only admin users should be allowed to issue any specific command. Like some user will have read only access and some will have read/writes access.



aaa authorization exec default group tacacs+ if-authenticated


This is used for exec authorization (telnet/ssh). Lets says you want some user to fall directly to enable more...!


To use this feature you need to enable shell priv on ACS.

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field


For command authorization please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml


Regards,

~JG





Actions

This Discussion