cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1699
Views
5
Helpful
8
Replies

Reg: Tacacs configuration

cisco.anubhav
Level 1
Level 1

Hi All,

I m trying to set up AAA authentication of around 300 routers through Cisco TACACS,i installed acs4.2 on a windows 2003 server and put following AAA commands in the router,tacacs server host and key mentioned on trialrouter

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication login NO_AUTHEN none

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 1 NO_AUTHOR none

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 NO_AUTHOR none

aaa authorization network serial none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

!

aaa session-id common

then i created a user and mentioned a secret key on the acs server,i added this router as AAA client , the router stopped responding to previous login name and password  but was not responding to username defined in the acs,where am i makin a mistake?Kindly help.

Thanks.

4 Accepted Solutions

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Anu,


Are you getting tacacs user-name \\ password prompt ?


if you are getting user-name \\ password prompt and its not taking tacacs credentials, could you please login with local user-name \\ password and run the debugs.


debug tacacs

debug aaa authentication

term mon


After this try to login again with tacacs user-name \\ password and send me the output.


Do attach the failed attemopts from the ACS >> reports and activity.


HTH
JK


Do rate helpful posts-

~Jatin

View solution in original post

Jagdeep Gambhir
Level 10
Level 10

Hi Anu,

On Layer 3 device we should have tacacs source interface defined since there are more then one interface. To use the IP address of a specified interface for all outgoing TACACS+  packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode.


The following example makes TACACS+ use the IP address of subinterface  "s2" for all outgoing TACACS+ packets:

ip tacacs source-interface s2

Usage Guidelines

Use this command to set the IP address of a subinterface for all  outgoing TACACS+ packets. This address is used as long as the interface  is in the up state. In this way, the TACACS+  server can use one IP address entry associated with the network access  client instead of maintaining a list of all IP addresses.


This command is especially useful in cases where the router has many  interfaces and you want to ensure that all TACACS+ packets from a  particular router have the same IP address.The specified interface must have an IP address associated with it. If  the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To  avoid this situation, add an IP address to the subinterface or bring the  interface to the up state.


If there is still any issue please share the debugs.



Regards,

~JG


Do rate helpful posts




View solution in original post

8 Replies 8

Jatin Katyal
Cisco Employee
Cisco Employee

Anu,


Are you getting tacacs user-name \\ password prompt ?


if you are getting user-name \\ password prompt and its not taking tacacs credentials, could you please login with local user-name \\ password and run the debugs.


debug tacacs

debug aaa authentication

term mon


After this try to login again with tacacs user-name \\ password and send me the output.


Do attach the failed attemopts from the ACS >> reports and activity.


HTH
JK


Do rate helpful posts-

~Jatin

Jagdeep Gambhir
Level 10
Level 10

Hi Anu,

On Layer 3 device we should have tacacs source interface defined since there are more then one interface. To use the IP address of a specified interface for all outgoing TACACS+  packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode.


The following example makes TACACS+ use the IP address of subinterface  "s2" for all outgoing TACACS+ packets:

ip tacacs source-interface s2

Usage Guidelines

Use this command to set the IP address of a subinterface for all  outgoing TACACS+ packets. This address is used as long as the interface  is in the up state. In this way, the TACACS+  server can use one IP address entry associated with the network access  client instead of maintaining a list of all IP addresses.


This command is especially useful in cases where the router has many  interfaces and you want to ensure that all TACACS+ packets from a  particular router have the same IP address.The specified interface must have an IP address associated with it. If  the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To  avoid this situation, add an IP address to the subinterface or bring the  interface to the up state.


If there is still any issue please share the debugs.



Regards,

~JG


Do rate helpful posts




Dear All,

I logged into the AAA client using user configured in acs and password,but i am not able to run any command as it gives error
Command authorization failed.
                        ^
% Invalid input detected at '^' marker.

the AAA command are given above,Kindly suggest what should i do to run the commands.

Anu,


Create a full access command set by looking the link


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario1


After that associate the command set with the group where user belongs to.


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso1


HTH
JK


Do rate helpful posts-

~Jatin

Hi,

I could get full level 15 access to my test router through TACACS.I have to get 900 routers authenticated using TACACS,believe it supports the no..I wish to create three level of users just like suggested in the link,should i create three users with different permissions and use them on clients as i wish to keep all the clients in the default group.

Kindy suggest if this is fine or any other approch should be there.

Hi,

I prepared two command sets in ACS and got few devices authorized butat that very moment console login is also autheticated,which i dont plan to do.I wish that console access remains non authenticated.At the moment when trying to login,Authentication fails when i tried to login using local user login and password.

Kindly help.

Thanks.

Hi Anu,

For that we need to set up Method list so that console is authenticated locally. Here are the commands we need



Router(config)# username [username] password [password]
        tacacs-server host [ip]
        tacacs-server key [key]


        aaa new-model
        aaa authentication login default group tacacs+ local

        aaa authentication login con local


        aaa authorization exec default group tacacs+ if-authenticated
        aaa authorization commands 1 default group tacacs+ if-authenticated
        aaa authorization commands 15 default group tacacs+ if-authenticated
        aaa authorization config-commands


line con 0

Router(config-line)# login authentication con-----> Where " con" is the name of method list we created above.


Regards,

~JG


Do rate helpful post

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: