I m Anubhav ,i have been asigned a responsibility to configure a cisco TACACS+ server for authentication and applying user level privileges ,we have two ACS servers ,one will act as Primary and the other will act as Backup.
Actually i have no clue how to do this ,I am a CCNA ,but even after going through many PDFs ,i mnot able to get how to begin the process.Could anyone help me out with some configuration exapmles as we are not using PIX etc. and all clients will interact directly with ACS.
We have more than 800 clients , do we need to configure users for each client.
User can be configured locally in ACS or in external database like AD/LDAP/RSA. You need to add all aaa-clinets (router/ASA/switch) to ACS network configuration. And on each device you need to enable aaa.
IOS(config)# username [username] password [password] tacacs-server host [ip] tacacs-server key [key] aaa new-model aaa authentication login default group tacacs+ local
Since you are new to ACS I will suggest not to enable authorization as that can lock you out of device (Open a TAC case if this is urgent).
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1 (Also define interface from where acs is reachable)
I am also trying for the same like Device Authentication with TACACS server ( ACS 5.1 version ). Device authentication with AD ( username and password ) and if ACS not availble device should authenticate local without authorization.
The following parmeters are i did to complete the task.
1. Add the Device into ACS as a AAA client.
2. AD joined with ACS. And iam able to see my security groups also into in my ACS.
3. aaa command which i configured in device ( switch ).
aaa group server tacacs+ tacacsgroup server < IP address > ! aaa authentication login default group tacacs+ local aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa accounting exec default start-stop group tacacs+
tacacs-server host < ip address > key < key >
4. And also device access with two different profile like one with Full access for device access and another one with limited access only just like a only allow show commands.So, for that i creadted with policy elements in ACS with command attributes with local user name and password not with AD username and password. I dont have any clue to do this activity also.
Please validate the command and help me to finish this activity also.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :