Reg:Configuration of TACACS+

Unanswered Question
Apr 9th, 2010

Hi,

I m Anubhav ,i have been asigned a responsibility to configure a cisco TACACS+ server for authentication and applying user level privileges ,we have two ACS servers ,one will act as Primary and the other will act as Backup.

Actually i have no clue how to do this ,I am a CCNA ,but even after going through many PDFs ,i mnot able to get how to begin the process.Could anyone help me out with some configuration exapmles as we are not using PIX etc. and all clients will interact directly with ACS.

We have more than 800 clients , do we need to configure users for each client.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jagdeep Gambhir Fri, 04/09/2010 - 06:53


Hi Anu,

User can be configured locally in ACS or in external database like AD/LDAP/RSA. You need to add all aaa-clinets (router/ASA/switch) to ACS network configuration. And on each device you need to enable aaa.


     IOS(config)# username [username] password [password]
        tacacs-server host [ip]
        tacacs-server key [key]
        aaa new-model
        aaa authentication login default group tacacs+ local



Since you are new to ACS I will suggest not to enable authorization as that can lock you out of device (Open a TAC case if this is urgent).


PIX/ASA

aaa-server authserver protocol tacacs+

key 123456

aaa-server authserver host  10.1.1.1 (Also define interface from where acs is reachable)

aaa authentication ssh console authserver LOCAL


Regards,

~JG


Do rate helpful posts!

cisco.anubhav Fri, 04/09/2010 - 23:23

Hi Jagdeep,

Thanks for the info u provided,I think of testing  authentication on one of the clients client.

few AAA commands that are available at the client router is given below,see is that could be of any help,

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization network serial none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
aaa session-id common

kindly suggest isf these are sufficient or what i steps to take.

Thanks

Jagdeep Gambhir Mon, 04/12/2010 - 06:40

These commands  are bit complecated, I would suggest to set it up like this,

aaa  authentication login default group tacacs+ local
aaa authorization config-commands
aaa  authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1  default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+  if-authenticated
aaa accounting exec default  start-stop group tacacs+
aaa accounting commands 15 default stop-only  group tacacs+


By default  authorization is disabled on console, so there is no need to setup  authorization mehotod list for console.


With above  commands,

VTY-SSH-HTTP-Console-->  Authentication would be using tacacs account and if tacacs is down, it  will use local

VTY-SSH-HTTP-->  Authorization check from tacacs and fallback "if-authenticated"

Console-->  Authentication tacacs and fall back local. No Authotization check.



Regards,

~JG

manikandan15 Sat, 04/17/2010 - 00:14

Hi Jagdeep,

I am also trying for the same like Device Authentication with TACACS server ( ACS 5.1 version ). Device authentication with AD ( username and password ) and if ACS not availble device should authenticate local without authorization.

The following parmeters are i did to complete the task.

1. Add the Device into ACS as a AAA client.

2. AD joined with ACS. And iam able to see my security groups also into in my ACS.

3. aaa command which i configured in device ( switch ).

           aaa group server tacacs+ tacacsgroup server < IP address >
!
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+


tacacs-server host < ip address > key < key >

4. And also device access with two different profile like one with Full access for device access and another one with limited access only just like a only allow show commands.So, for that i creadted with policy elements in ACS with command attributes with local user name and password not with AD username and password. I dont have any clue to do this activity also.

Please validate the command and help me to finish this activity also.

Regards

Mani

Actions

This Discussion