03-01-2010 10:15 AM - edited 03-10-2019 04:58 PM
brand new to the TACACS+ Cisco 1120 world...Trying to build from scratch, so please bare with me.
i'm stepping through the very lengthy Users guide and am at a point of creating an Internal Host. Is this necessary? I'm viewing the term "Hosts" as any device (switch, router, firewall, server, etc...) that may use internal authentication with this appliance..
as such, what is the MAC address the guide is referring to at the very beginning of the host creation?
bruce
03-01-2010 10:34 PM
Hi Bruce
Internal hosts will not usually be required for TACACS+. This is used in RADIUS flows for MAC Authentication Bypass where devices are indetified by their NAC adress
Minimum that is required for TACACS+ is:
- Network device needsto be defined for IP you are connecting with to contain TACACS+ shared secret
- User database to authenticate against. Easiest to set up is internal users and create a user with username/password you will use
Once this is done TACACS+ requests will hit the "Default Device Admin"service that is created by default to authenticate against the internal database. You can then modify the authorization policy as required to match your needs:
Access Policies > ... > Access Services > Default Device Admin > Authorization
If you want to include command sets; press "Customize" and then select these in the results
03-02-2010 07:43 AM
thanks for the info...
I have one additional question.
i have configured AAA on the switch...I am getting to the TACACS appliance, it authenticates my user, BUT, I'm unable to use that same users credentials for accessing privledge exec mode...
If I use the local switch enable p/w, i can move forward. But my intent is to NOT use the local password and require priv exec mode access only if the user authenticates with their credentials.
not sure what i'm doing wrong...
bruce
03-02-2010 09:01 AM
thanks for the info...
I have one additional question.
i have configured AAA on the switch...I am getting to the TACACS appliance, it authenticates my user, BUT, I'm unable to use that same users credentials for accessing privledge exec mode...
If I use the local switch enable p/w, i can move forward. But my intent is to NOT use the local password and require priv exec mode access only if the user authenticates with their credentials.
not sure what i'm doing wrong...
bruce
Hi Bruce,
Then you need to configure aaa configuration for enable mode also with TACAS server authentication
aaa authentication enable default group local enable
Hope to Help !!
Ganesh.H
03-02-2010 09:18 AM
that didnt seem to correct the problem...
aaa authentication enable default group local enable
my config actually says
aaa authentication enable defaul group TestGroup enable
but still, nothing...
i'm getting to user mode, but not to exec mode (unless i use the local switch enable p/w)
03-02-2010 09:27 AM
I guess i'm somewhat confused as to what is necessary on the TACACS appliance itself...
03-02-2010 02:38 AM
brand new to the TACACS+ Cisco 1120 world...Trying to build from scratch, so please bare with me.
i'm stepping through the very lengthy Users guide and am at a point of creating an Internal Host. Is this necessary? I'm viewing the term "Hosts" as any device (switch, router, firewall, server, etc...) that may use internal authentication with this appliance..
as such, what is the MAC address the guide is referring to at the very beginning of the host creation?
bruce
Hi Bruce,
Internal Host what you are reffering is a term is called as AAA client which will be configured in ACS for authentication purpose when ever somebody used to loging into those devices.
MAC address authentication is refferred to 802.1x protocol where if any device gets plugged into your switch they will be prompted for username and password to access that particular network.
Hope to Help !!
Remember to rate the useful post
Ganesh.H
03-02-2010 11:04 AM
i turned on debugging to watch the authentication...
at the point i enter the enable command and password, i see the following:
date AAA/Authen/START non-console enable - dfault to enable password
of course, i dont want it to default to enable password, but havent figured out how to prevent it from doing so...
any further thoughts?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: