Identify stores - Hosts

Unanswered Question
Mar 1st, 2010

brand new to the TACACS+ Cisco 1120 world...Trying to build from scratch, so please bare with me.

i'm stepping through the very lengthy Users guide and am at a point of creating an Internal Host.  Is this necessary?  I'm viewing the term "Hosts" as any device (switch, router, firewall, server, etc...) that may use internal authentication with this appliance..

as such, what is the MAC address the guide is referring to at the very beginning of the host creation?

bruce

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jrabinow Mon, 03/01/2010 - 22:34

Hi Bruce

Internal hosts will not usually be required for TACACS+. This is used in RADIUS flows for MAC Authentication Bypass where devices are indetified by their NAC adress

Minimum that is required for TACACS+ is:

- Network device needsto be defined for IP you are connecting with to contain TACACS+ shared secret

- User database to authenticate against. Easiest to set up is internal users and create a user with username/password you will use

Once this is done TACACS+ requests will hit the "Default Device Admin"service that is created by default to authenticate against the internal database. You can then modify the authorization policy as required to match your needs:

Access Policies > ... > Access Services > Default Device Admin > Authorization

If you want to include command sets; press "Customize" and then select these in the results

Bruce Summers Tue, 03/02/2010 - 07:43

thanks for the info...

I have one additional question.

i have configured AAA on the switch...I am getting to the TACACS appliance, it authenticates my user, BUT, I'm unable to use that same users credentials for accessing privledge exec mode...

If I use the local switch enable p/w, i can move forward.  But my intent is to NOT use the local password and require priv exec mode access only if the user authenticates with their credentials.

not sure what i'm doing wrong...

bruce

Ganesh Hariharan Tue, 03/02/2010 - 09:01

thanks for the info...

I have one additional question.

i have configured AAA on the switch...I am getting to the TACACS appliance, it authenticates my user, BUT, I'm unable to use that same users credentials for accessing privledge exec mode...

If I use the local switch enable p/w, i can move forward.  But my intent is to NOT use the local password and require priv exec mode access only if the user authenticates with their credentials.

not sure what i'm doing wrong...

bruce

Hi Bruce,

Then you need to configure aaa configuration for enable mode also with TACAS server authentication

aaa authentication enable default group local enable

Hope to Help  !!

Ganesh.H

Bruce Summers Tue, 03/02/2010 - 09:18

that didnt seem to correct the problem...

aaa authentication enable default group local enable

my config actually says

aaa authentication enable defaul group TestGroup enable

but still, nothing...

i'm getting to user mode, but not to exec mode (unless i use the local switch enable p/w)

Bruce Summers Tue, 03/02/2010 - 09:27

I guess i'm somewhat confused as to what is necessary on the TACACS appliance itself...

Ganesh Hariharan Tue, 03/02/2010 - 02:38

brand new to the TACACS+ Cisco 1120 world...Trying to build from scratch, so please bare with me.

i'm stepping through the very lengthy Users guide and am at a point of creating an Internal Host.  Is this necessary?  I'm viewing the term "Hosts" as any device (switch, router, firewall, server, etc...) that may use internal authentication with this appliance..

as such, what is the MAC address the guide is referring to at the very beginning of the host creation?

bruce

Hi Bruce,

Internal Host what you are reffering is a term is called as AAA client which will be configured in ACS for authentication purpose when ever somebody used to loging into those devices.

MAC address authentication is refferred to 802.1x protocol where if any device gets plugged into your switch they will be prompted for username and password to access that particular network.

Hope to Help !!

Remember to rate the useful post

Ganesh.H

Bruce Summers Tue, 03/02/2010 - 11:04

i turned on debugging to watch the authentication...

at the point i enter the enable command and password, i see the following:

date AAA/Authen/START non-console enable - dfault to enable password

of course, i dont want it to default to enable password, but havent figured out how to prevent it from doing so...

any further thoughts?

Actions

This Discussion