Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
10
Helpful
3
Replies

ACS v4.1 TACACS+

colmgrier
Level 1
Level 1

‎01-26-2009 08:55 AM - edited ‎03-10-2019 04:18 PM

Need help setting up tacacs+ for Catalyst 3560 and 6506 switches using Cisco ACS v4.1. Can someone post ios examples.

Thanks

Requirement:

1. login to switches with Cisco ACS account

2. login to switch with local switch username & password

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎01-26-2009 09:10 AM

Employ Authentication, Authorization, and Command Authorization on an IOS or set based

device:

IOS -

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

Optional*

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Note *: Do not deploy authorization untill you know about the command.

Regards,

~JG

Do rate helpful posts

colmgrier
Level 1
Level 1
In response to Jagdeep Gambhir

‎01-26-2009 09:14 AM

Can you explain the below commands.

Also which is better Tacacs+ or radius

Optional*

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Note *: Do not deploy authorization untill you know about the command.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to colmgrier

‎01-26-2009 12:22 PM

Both are better. Actually it depends on your need or network environment. For managing devices (NAS) tacacs is best and for wireless vpn, radius is best.

Please check this link that explains about tacacs and radius.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

If you want to implement authorization like we want only admin users should be allowed to issue any specific command. Like some user will have read only access and some will have read/writes access.

aaa authorization exec default group tacacs+ if-authenticated

This is used for exec authorization (telnet/ssh). Lets says you want some user to fall directly to enable more...!

To use this feature you need to enable shell priv on ACS.

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

For command authorization please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents