Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Identify stores - Hosts

brand new to the TACACS+ Cisco 1120 world...Trying to build from scratch, so please bare with me.

i'm stepping through the very lengthy Users guide and am at a point of creating an Internal Host.  Is this necessary?  I'm viewing the term "Hosts" as any device (switch, router, firewall, server, etc...) that may use internal authentication with this appliance..

as such, what is the MAC address the guide is referring to at the very beginning of the host creation?

bruce

7 REPLIES
Cisco Employee

Re: Identify stores - Hosts

Hi Bruce

Internal hosts will not usually be required for TACACS+. This is used in RADIUS flows for MAC Authentication Bypass where devices are indetified by their NAC adress

Minimum that is required for TACACS+ is:

- Network device needsto be defined for IP you are connecting with to contain TACACS+ shared secret

- User database to authenticate against. Easiest to set up is internal users and create a user with username/password you will use

Once this is done TACACS+ requests will hit the "Default Device Admin"service that is created by default to authenticate against the internal database. You can then modify the authorization policy as required to match your needs:

Access Policies > ... > Access Services > Default Device Admin > Authorization

If you want to include command sets; press "Customize" and then select these in the results

New Member

Re: Identify stores - Hosts

thanks for the info...

I have one additional question.

i have configured AAA on the switch...I am getting to the TACACS appliance, it authenticates my user, BUT, I'm unable to use that same users credentials for accessing privledge exec mode...

If I use the local switch enable p/w, i can move forward.  But my intent is to NOT use the local password and require priv exec mode access only if the user authenticates with their credentials.

not sure what i'm doing wrong...

bruce

Re: Identify stores - Hosts

thanks for the info...

I have one additional question.

i have configured AAA on the switch...I am getting to the TACACS appliance, it authenticates my user, BUT, I'm unable to use that same users credentials for accessing privledge exec mode...

If I use the local switch enable p/w, i can move forward.  But my intent is to NOT use the local password and require priv exec mode access only if the user authenticates with their credentials.

not sure what i'm doing wrong...

bruce

Hi Bruce,

Then you need to configure aaa configuration for enable mode also with TACAS server authentication

aaa authentication enable default group local enable

Hope to Help  !!

Ganesh.H

New Member

Re: Identify stores - Hosts

that didnt seem to correct the problem...

aaa authentication enable default group local enable

my config actually says

aaa authentication enable defaul group TestGroup enable

but still, nothing...

i'm getting to user mode, but not to exec mode (unless i use the local switch enable p/w)

New Member

Re: Identify stores - Hosts

I guess i'm somewhat confused as to what is necessary on the TACACS appliance itself...

Re: Identify stores - Hosts

brand new to the TACACS+ Cisco 1120 world...Trying to build from scratch, so please bare with me.

i'm stepping through the very lengthy Users guide and am at a point of creating an Internal Host.  Is this necessary?  I'm viewing the term "Hosts" as any device (switch, router, firewall, server, etc...) that may use internal authentication with this appliance..

as such, what is the MAC address the guide is referring to at the very beginning of the host creation?

bruce

Hi Bruce,

Internal Host what you are reffering is a term is called as AAA client which will be configured in ACS for authentication purpose when ever somebody used to loging into those devices.

MAC address authentication is refferred to 802.1x protocol where if any device gets plugged into your switch they will be prompted for username and password to access that particular network.

Hope to Help !!

Remember to rate the useful post

Ganesh.H

New Member

Re: Identify stores - Hosts

i turned on debugging to watch the authentication...

at the point i enter the enable command and password, i see the following:

date AAA/Authen/START non-console enable - dfault to enable password

of course, i dont want it to default to enable password, but havent figured out how to prevent it from doing so...

any further thoughts?

388
Views
0
Helpful
7
Replies